Level 5 CMMC - CMMC Practices

IR.3.098  

Reference: CMMC 1.02

Family: IR

Level Introduced: 3

Practice:
Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

CMMC Clarification:
Incident response is a process an organization executes to manage the consequences and reduce the risk as a result of a security breach or cyberattack. The majority of the process
consists of identification, containment, eradication, and recovery of the incident. During this process it is essential for an organization to track the work processes required in order to effectively respond. During the process the organization should designate a central hub to serve as the point to coordinate, communicate, and track activities. The hub should receive and document information from system administrators, incident handlers, and others involved throughout the process. As the incident process moves toward eradication the organization’s executives, affected business units, and any required external stakeholders should be kept aware of the incident in order to make decisions affecting the business. Designated staff members should also be assigned to work with executives to provide communications outside the organization in event it is needed.

Example
As a database administrator you notice unusual activity on a server and determine a potential security incident has occurred. You open a tracking ticket with the Security Operations Center (SOC). The SOC assigns an incident handler to work the ticket. The incident handler investigates, collects artifacts, and documents initial findings. As a result of the investigation the incident handler determines unauthorized access occurred on the database server. The SOC establishes a team to manage the incident. The team consists of security, database, network, and system administrators. The team meets daily to update progress and plan courses of action to contain the incident. At the end of the day the team provides a status report to IT executives. Two days later the team declares the incident contained. The team produces a final report as the database system is rebuilt and placed back into operations.

3.6.2

Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

Discussion:
Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports.

Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies.

[SP 800-61] provides guidance on incident handling.

Source: NIST Special Publication 800-171 Rev. 2

IR-6

INCIDENT REPORTING

Description:
The organization:
    a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and
    b. Reports security incident information to [Assignment: organization-defined authorities].

Supplemental Guidance:
The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling. Related controls: IR-4, IR-5, IR-8.

IR-7

INCIDENT RESPONSE ASSISTANCE

Description:
The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

Supplemental Guidance:
Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required. Related controls: AT-2, IR-4, IR-6, IR-8, SA-9.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02