Requirement text: IR.3.098: Track, document, and report incidents to designated officials and/or
authorities both internal and external to the organization.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Tracking and documenting system security incidents includes maintaining records about
each incident, the status of the incident, and other pertinent information necessary for
forensics, evaluating incident details, trends, and handling. Incident information can be
obtained from a variety of sources including incident reports, incident response teams, audit
monitoring, network monitoring, physical access monitoring, and user/administrator
reports. Reporting incidents addresses specific incident reporting requirements within an
organization and the formal incident reporting requirements for the organization.
Suspected security incidents may also be reported and include the receipt of suspicious
email communications that can potentially contain malicious code. The types of security
incidents reported, the content and timeliness of the reports, and the designated reporting
authorities reflect applicable laws, Executive Orders, directives, regulations, and policies.
CMMC CLARIFICATION
Incident response is a process an organization executes to manage the consequences and
reduce the risk as a result of a security breach or cyberattack. The majority of the process
consists of identification, containment, eradication, and recovery of the incident. During this
process it is essential for an organization to track the work processes required in order to
effectively respond. During the process the organization should designate a central hub to
serve as the point to coordinate, communicate, and track activities. The hub should receive
and document information from system administrators, incident handlers, and others
involved throughout the process. As the incident process moves toward eradication the
organization’s executives, affected business units, and any required external stakeholders
should be kept aware of the incident in order to make decisions affecting the business.
Designated staff members should also be assigned to work with executives to provide
communications outside the organization in event it is needed.
Example
As a database administrator you notice unusual activity on a server and determine a
potential security incident has occurred. You open a tracking ticket with the Security
Operations Center (SOC). The SOC assigns an incident handler to work the ticket. The
incident handler investigates, collects artifacts, and documents initial findings. As a result of
the investigation the incident handler determines unauthorized access occurred on the
database server. The SOC establishes a team to manage the incident. The team consists of
security, database, network, and system administrators. The team meets daily to update
progress and plan courses of action to contain the incident. At the end of the day the team
provides a status report to IT executives. Two days later the team declares the incident
contained. The team produces a final report as the database system is rebuilt and placed
back into operations.
References
• NIST SP 800-171 Rev 1 3.6.2
• CIS Controls v7.1 19.4
• NIST CSF v1.1 RS.CO-2, RS.CO-3
• CERT RMM v1.2 IMC:SG2.SP2
• NIST SP 800-53 Rev 4 IR-6, IR-7