A breach without a response plan is expensive. A breach with a response plan is contained. The difference — in regulatory fines, customer trust, and remediation cost — is measurable and significant. NIST CSF Respond provides the structure for building that plan before you need it.
In NIST CSF 2.0, Respond has four categories that mirror the lifecycle of an incident: management (declaring and managing the incident), analysis (understanding what happened), communication (telling the right people at the right time), and mitigation (containing and eradicating the threat). Most SMB incident response failures trace back to RS.MA — either the plan doesn’t exist, or nobody knows where it is when an incident occurs.
Regulatory timelines are unforgiving. HIPAA’s 60-day breach notification window, state laws with 30-day requirements, and the SEC’s 4-business-day material incident disclosure rule all require pre-existing process — you cannot build notification capability during an active breach. RS.CO is the control that maps to these obligations.
The 4 Respond Categories
Common SMB Gaps in the Respond Function
- No written incident response plan — decisions get made ad hoc under pressure, which consistently leads to slower containment and regulatory violations.
- Unclear decision authority: nobody knows who can authorize taking systems offline, which delays containment while the breach expands.
- No pre-identified legal counsel or breach coach — engaging them for the first time during an incident wastes critical hours.
- No forensic capability or preservation procedure — first responders destroy evidence by trying to clean systems before documenting the compromise.
- No notification templates — RS.CO requires pre-drafted communications that legal has reviewed, not improvised messages during a crisis.
- IR plan never tested — tabletop exercises reveal gaps in a controlled environment rather than during a real incident where the cost is real.
Regulatory Notification Requirements
NIST CSF does not set notification timelines, but RS.CO maps directly to obligations that do. HIPAA requires covered entities to notify affected individuals within 60 days of breach discovery, HHS within 60 days, and media in breaches affecting 500+ individuals in a state. Most state breach notification laws require 30-day or 72-hour notice. If your organization accepts payment cards, PCI-DSS requires notification to your acquiring bank within 24 hours of suspected compromise.
The common thread: all of these timelines are measured from discovery, not from breach. An organization with a mature Detect function discovers breaches early, which compresses how much of the notification window is already consumed before you even start your RS.CO process. Detect and Respond are architecturally linked.