Level 5 CMMC - CMMC Practices


Reference: CMMC 1.02

Family: IR

Level Introduced: 5

Establish and maintain a cyber incident response team that can investigate an issue physically or virtually at any location within 24 hours.

CMMC Clarification:
An organization must have a team of individuals available to respond to a security incident within 24 hours. In the event of an incident the incident response team may need access to the network device or endpoint to investigate potential incidents. The response team may be able to perform the investigation virtually, or triage and quarantine virtually until local personnel can assist. The response team coordinates with information technology help desk personnel, system administrators, and physical security as appropriate to respond to an incident.

You are the on-call cyber analyst for the organization’s security operations center (SOC). During the night you receive a high priority notification. You quickly identify the source of the alert. A system in the London office indicates a potential compromise. You follow the SOC runbooks and execute the required incident response process. You send several commands to the system to collect running processes, dump the system memory, and identify new files. The data is collected back at the SOC in Chicago. Your initial analysis indicates the system should be isolated to mitigate any risk so you run the script that isolates the system on the network. The system is placed into a remediation VLAN for additional investigation. You send an update to the system administrators in London and mark the incident for follow-up by the morning shift SOC analysts in Chicago. At the start of your next shift, you see in the notes that the SOC analysts worked with the system administrators in London to resolve the incident.

Additional Reading
Ten Strategies of a World-class Cybersecurity Operations Center: https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf
SANS Common and Best Practices for Security Operations Centers: Results of the 2019 SOC Survey: https://www.sans.org/media/analyst-program/common-practices-security- operations-centers-results-2019-soc-survey-39060.pdf
DHS Cyber Resilience Review Supplemental Resource Guide Volume 5 Incident Management: https://www.us- cert.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-IM.pdf


Establish and maintain a cyber incident response team that can be deployed by the organization within [Assignment: organization-defined time period].

A cyber incident response team (CIRT) is a team of experts that assesses, documents, and responds to cyber incidents so that organizational systems can recover quickly and implement the necessary controls to avoid future incidents. CIRT personnel include, for example, forensic analysts, malicious code analysts, systems security engineers, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. The team members may or may not be full-time but need to be available to respond in the time period required. The size and specialties of the team are based on known and anticipated threats. The team is typically pre-equipped with the software and hardware (e.g., forensic tools) necessary for rapid identification, quarantine, mitigation, and recovery and is familiar with how to preserve evidence and maintain chain of custody for law enforcement or counterintelligence uses. For some organizations, the CIRT can be implemented as a cross764 organizational entity or as part of the Security Operations Center (SOC).

[SP 800-61] provides guidance on incident handling. [SP 800-86] and [SP 800-101] provide guidance on integrating forensic techniques into incident response. [SP 800-150] provides guidance on cyber threat information sharing. [SP 800-184] provides guidance on cybersecurity event recovery.

Source: NIST Special Publication 800-172 (Draft)

Source: CMMC v1.02