Requirement text: IR.5.108: Establish and maintain a cyber incident response team that can investigate
an issue physically or virtually at any location within 24 hours.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B
A cyber incident response team (CIRT) is a team of experts that assesses, documents, and
responds to cyber incidents so that organizational systems can recover quickly and
implement the necessary controls to avoid future incidents. CIRT personnel typically include
forensic analysts, malicious code analysts, systems security engineers, and real-time
operations personnel. The incident handling capability includes performing rapid forensic
preservation of evidence and analysis of and response to intrusions. The team members may
or may not be full-time but need to be available to respond in the time period required. The
size and specialties of the team are based on known and anticipated threats. The team is
typically pre-equipped with the software and hardware (e.g., forensic tools) necessary for
rapid identification, quarantine, mitigation, and recovery, and is familiar with how to
preserve evidence and maintain chain of custody for law enforcement or counterintelligence
uses. For some organizations the CIRT can be implemented as a cross organizational entity
or as part of the Security Operations Center (SOC).
CMMC CLARIFICATION
An organization must have a team of individuals available to respond to a security incident
within 24 hours. In the event of an incident the incident response team may need access to
the network device or endpoint to investigate potential incidents. The response team may
be able to perform the investigation virtually, or triage and quarantine virtually until local
personnel can assist. The response team coordinates with information technology help desk
personnel, system administrators, and physical security as appropriate to respond to an
incident.
Example
You are the on-call cyber analyst for the organization’s security operations center (SOC).
During the night you receive a high priority notification. You quickly identify the source of
the alert. A system in the London office indicates a potential compromise. You follow the
SOC runbooks and execute the required incident response process. You send several
commands to the system to collect running processes, dump the system memory, and
identify new files. The data is collected back at the SOC in Chicago. Your initial analysis
indicates the system should be isolated to mitigate any risk so you run the script that isolates
the system on the network. The system is placed into a remediation VLAN for additional
investigation. You send an update to the system administrators in London and mark the
incident for follow-up by the morning shift SOC analysts in Chicago. At the start of your next
shift, you see in the notes that the SOC analysts worked with the system administrators in
London to resolve the incident.
ADDITIONAL READING
References
• CMMC modification of Draft NIST SP 800-171B 3.6.2e