IR.3.098

Control Acronym

IR

Family

Incident Response

CMMC Level

3

800-171 Control #

3.6.2

CMMC Description

Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

CMMC Clarification

Incident response is a process an organization executes to manage the consequences and reduce the risk as a result of a security breach or cyberattack. The majority of the process consists of identification, containment, eradication, and recovery of the incident. During this process it is essential for an organization to track the work processes required in order to effectively respond. During the process the organization should designate a central hub to serve as the point to coordinate, communicate, and track activities. The hub should receive and document information from system administrators, incident handlers, and others involved throughout the process. As the incident process moves toward eradication the organization’s executives, affected business units, and any required external stakeholders should be kept aware of the incident in order to make decisions affecting the business. Designated staff members should also be assigned to work with executives to provide communications outside the organization in event it is needed. Example As a database administrator you notice unusual activity on a server and determine a potential security incident has occurred. You open a tracking ticket with the Security Operations Center (SOC). The SOC assigns an incident handler to work the ticket. The incident handler investigates, collects artifacts, and documents initial findings. As a result of the investigation the incident handler determines unauthorized access occurred on the database server. The SOC establishes a team to manage the incident. The team consists of security, database, network, and system administrators. The team meets daily to update progress and plan courses of action to contain the incident. At the end of the day the team provides a status report to IT executives. Two days later the team declares the incident contained. The team produces a final report as the database system is rebuilt and placed back into operations.

800-171 Description

Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

800-171 Discussion

Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies. [SP 800-61] provides guidance on incident handling.

Other Source Discussion

N/A

CIS Control References

CIS Controls v7.1 19.4

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 IR-6, IR-7

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.6.2

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 RS.CO-2, RS.CO-3

CERT RMM Reference

CERT RMM v1.2 IMC:SG2.SP2

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

IR.3.098.[a] incidents are tracked;

Assessment Sub-Criteria 2

IR.3.098.[b] incidents are documented;

Assessment Sub-Criteria 3

IR.3.098.[c] authorities to whom incidents are to be reported are identified;

Assessment Sub-Criteria 4

IR.3.098.[d] organizational officials to whom incidents are to be reported are identified;

Assessment Sub-Criteria 5

IR.3.098.[e] identified authorities are notified of incidents; and

Assessment Sub-Criteria 6

IR.3.098.[f] identified organizational officials are notified of incidents.

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15