CMMC v2.11 Practices

IR.L2-3.6.1  

Reference: CMMC v2.11

Family: IR

Level Introduced: 2

Title: Incident Handling

Practice:
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

Further Discussion:
Incident handling capabilities prepare your organization to respond to incidents and may:
• identify people inside and outside your organization you may need to contact during an incident;
• establish a way to report incidents, such as an email address or a phone number;
• establish a system for tracking incidents; and
• determine a place and a way to store evidence of an incident.

Software and hardware may be required to analyze incidents when they occur. Incident prevention activities are also part of an incident-handling capability. The incident-handling team provides input for such things as risk assessments and training.

OSAs detect incidents using different indicators. Indicators may include:
• alerts from sensors or antivirus software;
• a filename that looks unusual; and
• log entries that raise concern.

After detecting an incident, an incident response team performs analysis. This requires some knowledge of normal network operations. The incident should be documented including all the log entries associated with the incident.

Containment of the incident is a critical step to stop the damage the incident is causing to your network. Containment activities should be based on previously defined organizational priorities and assessment of risk.

Recovery activities restore systems to pre-incident functionality and address its underlying causes. Organizations should use recovery activities as a means of improving their overall resilience to future attacks.

Example
Your manager asks you to set up your company’s incident-response capability [a]. First, you create an email address to collect information on possible incidents. Next, you draft a contact list of all the people who need to know when an incident occurs. You document a procedure for how to submit incidents that includes roles and responsibilities when a potential incident is detected or reported. The procedure also explains how to track incidents, from initial creation to closure [b].

Potential Assessment Considerations
• Is there an incident response policy which specifically outlines requirements for handling of incidents involving CUI [a]?

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.11