FIRST CSIRT Services Framework (Version 2.1)

The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide.

The mission and purpose of the CSIRT Services Framework is to facilitate the establishment and improvement of CSIRT operations, especially in supporting teams that are in the process of choosing, expanding, or improving their service portfolio. The services described are those potential services a CSIRT could provide. No CSIRT is expected to provide all described services. Each team will need to choose services that support their mission and constituents, as described by their mandate.

The Framework seeks to assist teams by identifying and defining core categories of services and their sub-components. This includes a title and description for each service, sub-service, function, and optionally sub-function – as appropriate. This document is a starting point to provide a consistent service framework that identifies a standard set of terms and definitions to be used across the community.