The NIST Cybersecurity Framework – The Recover Function

Kyle Daun
Jul 19, 2018 10:30:00 AM


NIST Cybersecurity Framework – The Recover Function

You made it! The hard work and determination to protect your organizational assets has paid off. You were able Respond to the cybersecurity event and mitigate the long-lasting damages that the cybercriminals tried to employ on you. Now that the event is contained and eradicated, recovery operations can begin, and the fifth and final function can be initiated, which is Recover. The NIST Cybersecurity framework defines the Recover category as; "Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event." The Recover function is further broken down into three categories (outlined below), which identify specific areas that organizations should consider in their risk management analysis. Of the 98 subcategories within the NIST Cybersecurity framework, 6 are addressed within the Recover function.

  • Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.
  • Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities.
  • Communications (RC.CO): Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.

Being able to effectively plan is a critical component to an organization’s preparedness in the event of a cyber security event. As part of the organization’s information security program, recovery planning enables personnel to understand system dependencies; identify critical personnel such as crisis management and incident management roles; arrange for alternate communication channels, services, and facilities; and other aspects of the business continuity plan. Planning allows organizations to explore “what if” scenarios, which might be based on cyber events that have impacted other organizations, to be able to better develop a customized cyber event playbook. Thinking about each scenario helps the organization to evaluate the impact, response activities, and recovery processes before an actual cyber event occurs. Practicing these exercises will help identify gaps before a cyber security event occurs, reducing the impact.

NIST has authored the “Guide for Cybersecurity Event Recovery” NIST SP 800-184, which is available free of charge from: This publication outlines planning for cyber event recovery, building a playbook, checklist items that should be included in a playbook, and even some examples of recovery scenarios. Compared to other publications, this is a light read of only 53 pages but will assist an organization greatly in developing a complete and robust recovery program.

If this blog peaked your interest feel free to download a copy of the framework at the official website Since this is the fifth and final function that will be discussed about the NIST Cyber Security Framework you can revisit previous blogs about the other four functions by clicking on the function you would like to visit. Identify, Protect, Detect, and Respond.

Each organization is unique and has unique needs when it comes to their Information Security Program. To learn more about our NIST Cybersecurity Framework service offerings and discuss your specific situation, please don’t hesitate to contact us today.

You May Also Like

These Stories on Cybersecurity

Subscribe by Email

No Comments Yet

Let us know what you think