Requirement text: IR.2.097: Perform root cause analysis on incidents to determine underlying causes.
DISCUSSION FROM SOURCE: CERT RMM V1.2
Post-incident review is a formal part of the incident closure process. The organization
conducts a formal examination of the causes of the incident and the ways in which the
organization responded to it, as well as the administrative, technical, and physical control
weaknesses that may have allowed the incident to occur.
Post-incident review should include a significant root-cause analysis process. The
organization should employ commonly available techniques (such as cause-and-effect
diagrams) to perform root-cause analysis as a means of potentially preventing future
incidents of similar type and impact. Considerations of other processes that may have
caused or aided the incident should be given, particularly as they may exist in processes such
as change management and configuration management.
CMMC CLARIFICATION
Examine the causes of the event or incident and how your organization responded to it. Look
at the administrative, technical, and physical control weaknesses. These may have allowed
the incident to occur. Use available practices, such as cause-and-effect diagrams, to perform
root-cause analysis. This will prevent future similar incidents. After incidents are resolved,
conduct reviews and capture lessons learned. Make improvements based on the outcomes
of these activities, such as updating plans or controls.
Example
You are in charge of IT operations for your company. As part of your role, you manage
incident response. After incidents are resolved, you and your team conduct a root cause
analysis. Doing this analysis helps you determine the underlying causes of declared
incidents. Based on what you learn from the analysis, you can make changes to your network
to prevent similar incidents.
References
• NIST CSF v1.1 DE.AE-2
• CERT RMM v1.2 IMC:SG5.SP1
• NIST SP 800-53 Rev 4 AU-2