Require the developer of the system, system component, or system service to provide an incident response plan.