Establish and maintain a security operations center capability that facilitates a 24/7 response capability.
As an organization matures it should dedicate resources to provide ongoing situational awareness. A security operations center (SOC) provides awareness through the ongoing collection of logs from the organization’s various defensive capabilities on its network and endpoints. The SOC processes the logs and any associated alerts in order to quickly identify and remediate threats before more damage is caused. Thus, ongoing monitoring is key to an effective cyber posture. In addition to technology a SOC must be staffed by the appropriate personnel to ensure data is collected, analyzed, and investigated. A SOC might be a physical facility, an organizational construct, or a managed service. Regardless of the SOC organization, it must enable a 24 hours a day, seven days a week response capability. An organization can determine how best to staff and create the response capability 24/7 on-site staffing may not be required. Example You are the senior manager responsible for the organization’s incident response. You have coordinated with a CMMC compliant third-party security services provider to include your organization in that provider’s security operation center (SOC) coverage. The third-party SOC has established direct lines of communication between the SOC and your organization’s incident response capability to effectively integrate the SOC into your organization’s cybersecurity capabilities. ADDITIONAL READING NIST SP 800-61 provides guidance on incident handling. NIST SP 800-86 and SP 800-101 provide guidance on integrating forensic techniques into incident response. NIST SP 800-150 provides guidance on cyber threat information sharing. NIST SP 800-184 provides guidance on cybersecurity event recovery. Ten Strategies of a World-class Cybersecurity Operations Center: https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategiescyber-ops-center.pdf SANS Common and Best Practices for Security Operations Centers: Results of the 2019 SOC Survey: https://www.sans.org/media/analyst-program/common-practices-securityoperations-centers-results-2019-soc-survey-39060.pdf DHS Cyber Resilience Review Supplemental Resource Guide Volume 5 Incident Management: https://www.us-cert.gov/sites/default/files/c3vp/crr_resources_guides /CRR_Resource_Guide-IM.pdf
DRAFT NIST SP 800-171B (MODIFIED) A security operations center (SOC) is the focal point for security operations and computer network defense for an organization. The purpose of the SOC is to defend and monitor an organization’s systems and networks (i.e., cyber infrastructure) on an ongoing basis. The SOC is also responsible for detecting, analyzing, and responding to cybersecurity incidents in a timely manner. The SOC is staffed with skilled technical and operational personnel (e.g., security analysts, incident response personnel, systems security engineers) implements technical, management, and operational controls (including monitoring, scanning, and forensics tools) to monitor, fuse, correlate, analyze, and respond to threat and security relevant event data from multiple sources. Sources include perimeter defenses, network devices (e.g., gateways, routers, switches) and endpoint agent data feeds. The SOC provides a holistic situational awareness capability to help organizations determine the security posture of the system and organization. A SOC capability can be obtained in a variety of ways. Larger organizations may implement a dedicated SOC while smaller organizations may employ third-party organizations to provide such capability.
CMMC modification of Draft NIST SP 800-171B 3.6.1e