Level 5 CMMC - CMMC Practices


Reference: CMMC 1.02

Family: IR

Level Introduced: 2

Analyze and triage events to support event resolution and incident declaration.

CMMC Clarification:
Analyze events to determine what to do. Categorize, prioritize, or group events to determine how to handle the event. You can take different actions in response to an event:
• declare an incident from the event;
• escalate it to someone outside the organization; and
• close the event because it does not have a large consequence on the organization.

You are in charge of IT operations for your company. As part of your role, you are the collection point for events. You should analyze all events to determine what actions to take. Through analysis, you should determine:
• the type and extent of an event (e.g., physical versus technical);
• whether the event is related to other events (to determine if they are part of a larger
issue, problem, or incident); and
• in what order events should be addressed.
Analysis also helps the organization determine whether to escalate the event to external staff. If so, the external staff can perform analysis and resolution.

IR-4 (3)


The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions.

Supplemental Guidance:
Classes of incidents include, for example, malfunctions due to design/implementation errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Appropriate incident response actions include, for example, graceful degradation, information system shutdown, fall back to manual mode/alternative technology whereby the system operates differently, employing deceptive measures, alternate information flows, or operating in a mode that is reserved solely for when systems are under attack.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02