Requirement text: IR.2.093: Detect and report events.
DISCUSSION FROM SOURCE: CERT RMM V1.2
The monitoring, identification, and reporting of events are the foundation for incident
identification and commence the incident life cycle. Events potentially affect the
productivity of organizational assets and, in turn, associated services. These events must be
captured and analyzed so that the organization can determine whether an event will become
(or has become) an incident that requires organizational action. The extent to which an
organization can identify events improves its ability to manage and control incidents and
their potential effects.
CMMC CLARIFICATION
Detect events on your network. An event is any observable occurrence on the network. You
can detect events several ways, including through:
• observations of breakdowns in processes or loss in productivity;
• observations such as alarms and alerts, notification from other organizations; and
• the results of audits or assessments.
After you detect an event, determine if it will affect organizational assets and/or has the
potential to disrupt operations. This may require the start of the incident process.
Example
You are in charge of IT operations for your company. As part of your role, you should track
events on your network. You should also be a collection point for your coworkers to send
you suspected events. When you discover or receive a report of an event, you should tell the
person who will need to act on the detected event.
References
• CIS Controls v7.1 19.4
• NIST CSF v1.1 DE.CM-1, DE.CM-2, DE.CM-3, RS.CO-2
• CERT RMM v1.2 IMC:SG2.SP1
• NIST SP 800-53 Rev 4 IR-6