search menu icon-carat-right cmu-wordmark

The Sector CSIRT Framework: Developing Sector-Based Incident Response Capabilities

June 2021 Technical Report
Justin Novak, Brittany Manley, David McIntire, Sharon Mudd, Angel Luis Hueca, Tracy Bills

This framework guides the development and implementation of a sector CSIRT.


Software Engineering Institute

CMU/SEI Report Number


DOI (Digital Object Identifier):


The U.S. Department of State, Office of the Coordinator for Cyber Issues commissioned the Software Engineering Institute (SEI) to create the Sector CSIRT Framework for (1) developing a sector-based computer security incident response and coordination capability and (2) integrating this capability into a larger national cybersecurity ecosystem as applicable. The framework is a guide for helping interested parties develop the policies, processes, and procedures necessary to operationalize a sector Computer Security Incident Response Team (CSIRT), a uniquely adapted, specialized incident response team. The framework outlines a process that moves the sector CSIRT from concept to reality. The framework helps the team developing the sector CSIRT understand the current conditions of incident response in the sector (i.e., the as-is state) and how to move it to a robust operating state (i.e., the to-be state). It bridges the gap between these two states using a well-defined roadmap and implementation process.

The Sector CSIRT Framework is intended for individuals and organizations—including CSIRT managers, national CSIRTs, and others—who are developing or implementing a sector CSIRT. Using this framework, these individuals or organizations can move a sector CSIRT from a concept to the reality of a fully operational team.