Back to Control Explorer



Control Acronym



Incident Response

CMMC Level


800-171 Control #


CMMC Description

Detect and report events.

CMMC Clarification

Detect events on your network. An event is any observable occurrence on the network. You can detect events several ways, including through: * observations of breakdowns in processes or loss in productivity * observations such as alarms and alerts, notification from other organizations * the results of audits or assessments. After you detect an event, determine if it will affect organizational assets and/or has the potential to disrupt operations. This may require the start of the incident process. Example You are in charge of IT operations for your company. As part of your role, you should track events on your network. You should also be a collection point for your coworkers to send you suspected events. When you discover or receive a report of an event, you should tell the person who will need to act on the detected event.

800-171 Description

800-171 Discussion


Other Source Discussion

CERT RMM V1.2 The monitoring, identification, and reporting of events are the foundation for incident identification and commence the incident life cycle. Events potentially affect the productivity of organizational assets and, in turn, associated services. These events must be captured and analyzed so that the organization can determine whether an event will become (or has become) an incident that requires organizational action. The extent to which an organization can identify events improves its ability to manage and control incidents and their potential effects.

CIS Control References

CIS Controls v7.1 19.4

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 IR-6

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 DE.CM-1, DE.CM-2, DE.CM-3, RS.CO-2

CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

IR.2.093.[a] the organization has a process for identifying methods for event detection; and

Assessment Sub-Criteria 2

IR.2.093.[b] the organization can provide a process for reporting events so that they can be triaged, analyzed, and addressed.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15