Back to Control Explorer



Control Acronym



Incident Response

CMMC Level


800-171 Control #


CMMC Description

Perform root cause analysis on incidents to determine underlying causes.

CMMC Clarification

Examine the causes of the event or incident and how your organization responded to it. Look at the administrative, technical, and physical control weaknesses. These may have allowed the incident to occur. Use available practices, such as cause-and-effect diagrams, to perform root-cause analysis. This will prevent future similar incidents. After incidents are resolved, conduct reviews and capture lessons learned. Make improvements based on the outcomes of these activities, such as updating plans or controls. Example You are in charge of IT operations for your company. As part of your role, you manage incident response. After incidents are resolved, you and your team conduct a root cause analysis. Doing this analysis helps you determine the underlying causes of declared incidents. Based on what you learn from the analysis, you can make changes to your network to prevent similar incidents.

800-171 Description

800-171 Discussion


Other Source Discussion

CERT RMM V1.2 Post-incident review is a formal part of the incident closure process. The organization conducts a formal examination of the causes of the incident and the ways in which the organization responded to it, as well as the administrative, technical, and physical control weaknesses that may have allowed the incident to occur. Post-incident review should include a significant root-cause analysis process. The organization should employ commonly available techniques (such as cause-and-effect diagrams) to perform root-cause analysis as a means of potentially preventing future incidents of similar type and impact. Considerations of other processes that may have caused or aided the incident should be given, particularly as they may exist in processes such as change management and configuration management.

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AU-2

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference


CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

IR.2.097.[a] the organization has a post-incident response activity; and

Assessment Sub-Criteria 2

IR.2.097.[b] the organization determines the root cause of incidents.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15