Back to Control Explorer



Control Acronym



Incident Response

CMMC Level


800-171 Control #


CMMC Description

Establish and maintain a security operations center capability that facilitates a 24/7 response capability.

CMMC Clarification

As an organization matures it should dedicate resources to provide ongoing situational awareness. A security operations center (SOC) provides awareness through the ongoing collection of logs from the organization’s various defensive capabilities on its network and endpoints. The SOC processes the logs and any associated alerts in order to quickly identify and remediate threats before more damage is caused. Thus, ongoing monitoring is key to an effective cyber posture. In addition to technology a SOC must be staffed by the appropriate personnel to ensure data is collected, analyzed, and investigated. A SOC might be a physical facility, an organizational construct, or a managed service. Regardless of the SOC organization, it must enable a 24 hours a day, seven days a week response capability. An organization can determine how best to staff and create the response capability 24/7 on-site staffing may not be required. Example You are the senior manager responsible for the organization’s incident response. You have coordinated with a CMMC compliant third-party security services provider to include your organization in that provider’s security operation center (SOC) coverage. The third-party SOC has established direct lines of communication between the SOC and your organization’s incident response capability to effectively integrate the SOC into your organization’s cybersecurity capabilities. ADDITIONAL READING NIST SP 800-61 provides guidance on incident handling. NIST SP 800-86 and SP 800-101 provide guidance on integrating forensic techniques into incident response. NIST SP 800-150 provides guidance on cyber threat information sharing. NIST SP 800-184 provides guidance on cybersecurity event recovery. Ten Strategies of a World-class Cybersecurity Operations Center: SANS Common and Best Practices for Security Operations Centers: Results of the 2019 SOC Survey: DHS Cyber Resilience Review Supplemental Resource Guide Volume 5 Incident Management: /CRR_Resource_Guide-IM.pdf

800-171 Description

800-171 Discussion


Other Source Discussion

DRAFT NIST SP 800-171B (MODIFIED) A security operations center (SOC) is the focal point for security operations and computer network defense for an organization. The purpose of the SOC is to defend and monitor an organization’s systems and networks (i.e., cyber infrastructure) on an ongoing basis. The SOC is also responsible for detecting, analyzing, and responding to cybersecurity incidents in a timely manner. The SOC is staffed with skilled technical and operational personnel (e.g., security analysts, incident response personnel, systems security engineers) implements technical, management, and operational controls (including monitoring, scanning, and forensics tools) to monitor, fuse, correlate, analyze, and respond to threat and security relevant event data from multiple sources. Sources include perimeter defenses, network devices (e.g., gateways, routers, switches) and endpoint agent data feeds. The SOC provides a holistic situational awareness capability to help organizations determine the security posture of the system and organization. A SOC capability can be obtained in a variety of ways. Larger organizations may implement a dedicated SOC while smaller organizations may employ third-party organizations to provide such capability.

CIS Control References

NIST 800-53 Control Ref.

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

CMMC modification of Draft NIST SP 800-171B 3.6.1e

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15