IR.2.094

Control Acronym

IR

Family

Incident Response

CMMC Level

2

800-171 Control #

N/A

CMMC Description

Analyze and triage events to support event resolution and incident declaration.

CMMC Clarification

Analyze events to determine what to do. Categorize, prioritize, or group events to determine how to handle the event. You can take different actions in response to an event: * declare an incident from the event * escalate it to someone outside the organization * close the event because it does not have a large consequence on the organization. Example You are in charge of IT operations for your company. As part of your role, you are the collection point for events. You should analyze all events to determine what actions to take. Through analysis, you should determine: * the type and extent of an event (e.g., physical versus technical) * whether the event is related to other events (to determine if they are part of a larger issue, problem, or incident) * in what order events should be addressed.

800-171 Description

800-171 Discussion

N/A

Other Source Discussion

CERT RMM V1.2 The triage of event reports is an analysis activity that helps the organization to gather additional information for event resolution and to assist in incident declaration, handling, and response. Triage consists of categorizing, correlating, prioritizing, and analyzing events. Through triage, the organization determines the type and extent of an event (e.g., physical versus technical), whether the event correlates to other events (to determine if they are symptomatic of a larger issue, problem, or incident), and in what order events should be addressed or assigned for incident declaration, handling, and response. Triage also helps the organization to determine if the event needs to be escalated to other organizational or external staff (outside of the incident management staff) for additional analysis and resolution. Some events will never proceed to incident declaration the organization determines these events to be inconsequential. For events that the organization deems as low priority or of low impact or consequence, the triage process results in closure of the event and no further actions are performed. Events that exit the triage process warranting additional attention may be referred to additional analysis processes for resolution or declared as an incident and subsequently referred to incident response processes for resolution. These events may be declared as incidents during triage, through further event analysis, through the application of incident declaration criteria, or during the development of response strategies, depending on the organization’s incident criteria, the nature and timing of the event(s), and the consequences of the event that the organization is currently experiencing or that is imminent.

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 IR-4(3)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

CERT RMM v1.2 IMC:SG2.SP4

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

IR.2.094.[a] the organization analyzes events;

Assessment Sub-Criteria 2

IR.2.094.[b] the organization performs correlation analysis on events;

Assessment Sub-Criteria 3

IR.2.094.[c] the organization assigns a disposition to events;

Assessment Sub-Criteria 4

IR.2.094.[d] the organization provides a process for reporting events so that they can be triaged, analyzed, and addressed; and

Assessment Sub-Criteria 5

IR.2.094.[e] the organization escalates events to the appropriate stakeholders, as needed.

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15