CMMC IR.2.096 - Develop Incident Response Procedures

CMMC IR.2.096 - Develop Incident Response Procedures

Requirement text: IR.2.096: Develop and implement responses to declared incidents according to
predefined procedures.

DISCUSSION FROM SOURCE: CERT RMM V1.2
Responding to an organizational incident is often dependent on proper advance planning by
the organization in establishing, defining, and staffing an incident management capability.
Responding to an incident describes the actions the organization takes to prevent or contain
the impact of an incident on the organization while it is occurring or shortly after it has
occurred. The range, scope, and breadth of the organizational response will vary widely
depending on the nature of the incident. Incident response may be as simple as notifying
users to avoid opening a specific type of email message or as complicated as having to
implement service continuity plans that require relocation of services and operations to an
off-site provider. The broad range of potential incidents requires the organization to have a
broad range of capability in incident response.

CMMC CLARIFICATION
Write procedures ahead of time to use when responding to incidents. These procedures will
help guide the development and implementation of responses during an incident. Responses
should prevent or contain the impact of an incident while it is occurring or shortly after. The
type of response will vary depending on the incident. Response actions might include:
      • stopping or containing the damage (e.g., by taking hardware or systems offline);
      • communicating to users (e.g., avoid opening a specific type of email message);
      • communicating to stakeholders (e.g., corporate management); and
      • implementing controls (e.g., updating access control lists).

Example
You are in charge of IT operations for your company. In this role, you manage all declared
incidents. You have procedures in place for handling different types of declared incidents.
For example, when you identify a phishing email incident, you have a process in place. You
notify your company about the suspicious email and what to do when you receive it.

References
• CIS Controls v7.1 19.1
• NIST CSF v1.1 RS.RP-1
• CERT RMM v1.2 IMC:SG4.SP2
• NIST SP 800-53 Rev 4 IR-4

    • Related Articles

    • Incident Response: SP 800-171 Security Family 3.6

      Systems are subject to a wide range of threat events, from corrupted data files to viruses to natural disasters. Vulnerability to some threat events can be lessened by having standard operating procedures that can be followed in the event of an ...

    • CMMC IR.3.099 - Test Incident Response Capability

      Requirement text: IR.3.099: Test the organizational incident response capability. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify ...

    • CMMC IR.5.106 - Utilize Forensic Data for Incident Response

      Requirement text: IR.5.106: In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data. DISCUSSION FROM SOURCE: CMMC Organizations need to have the ability to ...

    • CMMC IR.2.092 - Establish an Operational Incident-handling Capability

      Requirement text: IR.2.092: Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recover, and user response activities. DISCUSSION FROM SOURCE: DRAFT NIST SP ...

    • CMMC IR.5.108 - Establish Cyber Incident Response Team

      Requirement text: IR.5.108: Establish and maintain a cyber incident response team that can investigate an issue physically or virtually at any location within 24 hours. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B A cyber incident response team ...