Reference: CMMC 1.02
Level Introduced: 2
Detect and report events.
Detect events on your network. An event is any observable occurrence on the network. You can detect events several ways, including through:
â€¢ observations of breakdowns in processes or loss in productivity;
â€¢ observations such as alarms and alerts, notification from other organizations; and
â€¢ the results of audits or assessments.
After you detect an event, determine if it will affect organizational assets and/or has the potential to disrupt operations. This may require the start of the incident process.
You are in charge of IT operations for your company. As part of your role, you should track events on your network. You should also be a collection point for your coworkers to send you suspected events. When you discover or receive a report of an event, you should tell the person who will need to act on the detected event.
a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and
b. Reports security incident information to [Assignment: organization-defined authorities].
The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling. Related controls: IR-4, IR-5, IR-8.