Back to Control Explorer



Control Acronym



Incident Response

CMMC Level


800-171 Control #


CMMC Description

Use a combination of manual and automated, real-time responses to anomalous activities that match incident patterns.

CMMC Clarification

To gain an advantage the organization should have pre-defined steps to reduce the risk from someone conducting a known pattern of malicious activity. The steps could be a manual checklist or automated series of actions using scripts or other technology. Organizations may call these pre-defined or automated lists a playbook or runbook. They help to establish a formalized incident response that can be performed. Organizations should balance the speed of response against the possibility of unintended side-effects in determining whether automated responses are appropriate. Example You are the security operations center (SOC) lead for your organization. Recently your organization has had a problem with staff inserting personal USB drives in their computers. The SOC has had to wait for the Helpdesk notification to respond. To reduce the response time to these incidents you build a workflow to respond to the use of personal USBs. First you identify the USB events from the host detection tool. The events are forwarded to the SOC event management application. Once identified, you create an alert that is triggered when the USB event is detected. You create a script to call the host detection management API to block further use of a personal USB. ADDITIONAL READING NIST Computer Security Incident Handling Guide: Integrated Adaptive Cyber Defense:

800-171 Description

800-171 Discussion


Other Source Discussion

Response activities are necessary because the defenders of an organization’s information technology tend to be at a disadvantage compared to the attacker. Defenders must maintain awareness of the latest vulnerabilities, be aware of the vulnerabilities in the organization, have the vulnerabilities remediated, and respond if an attacker finds a vulnerability before it is remediated. Once a vulnerability is discovered, the attacker tends to operates faster than a defender can match. To reduce the time to mitigate an organization should have plans in place to mitigate an attack. Plans must be comprehensive of manual and automated responses.

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 IR-4(1)

CMMC Derived


NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15