Level 5 CMMC - CMMC Practices

IR.2.096  

Reference: CMMC 1.02

Family: IR

Level Introduced: 2

Practice:
Develop and implement responses to declared incidents according to pre-defined procedures.

CMMC Clarification:
Write procedures ahead of time to use when responding to incidents. These procedures will help guide the development and implementation of responses during an incident. Responses should prevent or contain the impact of an incident while it is occurring or shortly after. The type of response will vary depending on the incident. Response actions might include:
• stopping or containing the damage (e.g., by taking hardware or systems offline);
• communicating to users (e.g., avoid opening a specific type of email message);
• communicating to stakeholders (e.g., corporate management); and
• implementing controls (e.g., updating access control lists).

Example
You are in charge of IT operations for your company. In this role, you manage all declared incidents. You have procedures in place for handling different types of declared incidents. For example, when you identify a phishing email incident, you have a process in place. You notify your company about the suspicious email and what to do when you receive it.

IR-4

INCIDENT HANDLING

Description:
The organization:
    a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
    b. Coordinates incident handling activities with contingency planning activities; and
    c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.

Supplemental Guidance:
Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02