Requirement text: IR.4.101: Establish and maintain a security operations center capability that
facilitates a 24/7 response capability.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B (MODIFIED)
A security operations center (SOC) is the focal point for security operations and computer
network defense for an organization. The purpose of the SOC is to defend and monitor an
organization’s systems and networks (i.e., cyber infrastructure) on an ongoing basis. The
SOC is also responsible for detecting, analyzing, and responding to cybersecurity incidents
in a timely manner. The SOC is staffed with skilled technical and operational personnel (e.g.,
security analysts, incident response personnel, systems security engineers); and implements
technical, management, and operational controls (including monitoring, scanning, and
forensics tools) to monitor, fuse, correlate, analyze, and respond to threat and security-
relevant event data from multiple sources. Sources include perimeter defenses, network
devices (e.g., gateways, routers, switches) and endpoint agent data feeds. The SOC provides
a holistic situational awareness capability to help organizations determine the security
posture of the system and organization. A SOC capability can be obtained in a variety of ways.
Larger organizations may implement a dedicated SOC while smaller organizations may
employ third-party organizations to provide such capability.
CMMC CLARIFICATION
As an organization matures it should dedicate resources to provide ongoing situational
awareness. A security operations center (SOC) provides awareness through the ongoing
collection of logs from the organization’s various defensive capabilities on its network and
endpoints. The SOC processes the logs and any associated alerts in order to quickly identify
and remediate threats before more damage is caused. Thus, ongoing monitoring is key to an
effective cyber posture. In addition to technology a SOC must be staffed by the appropriate
personnel to ensure data is collected, analyzed, and investigated.
A SOC might be a physical facility, an organizational construct, or a managed service.
Regardless of the SOC organization, it must enable a 24 hours a day, seven days a week
response capability. An organization can determine how best to staff and create the
response capability; 24/7 on-site staffing may not be required.
Example
You are the senior manager responsible for the organization’s incident response. You have
coordinated with a CMMC compliant third-party security services provider to include your
organization in that provider’s security operation center (SOC) coverage. The third-party
SOC has established direct lines of communication between the SOC and your organization’s
incident response capability to effectively integrate the SOC into your organization’s
cybersecurity capabilities.
ADDITIONAL READING
NIST SP 800-61 provides guidance on incident handling. NIST SP 800-86 and SP 800-101 provide guidance on integrating forensic techniques into incident response. NIST SP 800-150 provides guidance on cyber threat information sharing. NIST SP 800-184 provides guidance on cybersecurity event recovery.
References
• CMMC modification of Draft NIST SP 800-171B 3.6.1e