IR.L3-3.6.2e  

Reference: CMMC v2.13

Family: IR

Level Introduced: 3

Title: Cyber Incident Response Team

Practice:
Establish and maintain a cyber incident response team that can be deployed by the organization within 24 hours.

Further Discussion:
The CIRT’s primary function is to handle information security incident management and response for the environments the SOC oversees. The primary goals of the CIRT are triage and initial response to an incident. They also communicate with all the proper people to ensure understanding of an incident and the response actions, including collection of forensic evidence, have been conveyed.

If and when an incident is detected by the organization’s SOC, the IR team is responsible for handling the incident and communicating what has happened to the appropriate people within the organization, as well to the authorities (as needed).

The deployment of a team does not necessarily mean they are “physically deployed.” Deployment may simply mean connecting to a remote system in a manner that is equivalent to being on the system’s keyboard. Remote access can provide just as much capability as local access in many cases.

Some situations require physical access. For instance, if the company has a physically isolated environment located at a remote location, a team must be physically present at the remote facility to perform the duties required.

Example
You are the lead for an IR team within your organization. Your manager is the SOC lead, and she reports to the chief information officer (CIO). As the SOC is alerted and/or identifies incidents within the organization’s environments, you lead and deploy teams to resolve the issues, including incidents involving cloud-based systems. You use a custom dashboard that was created for your team members to view and manage incidents, perform response actions, and record actions and notes for each case. You also have your team create an after action report for all incidents to which they respond; this information is used to determine if a given incident requires additional action and reporting [a].

One day, you receive a message from the SOC that your website has become corrupted. Within minutes, you have a team on the system inspecting logs, analyzing applications, preserving key information, and looking for evidence of tampering/attack [b]. Your team runs through a procedure set for this specific incident type based on a handbook the organization has created and maintains [c]. It is found that a cyberattack caused the corruption, but the corruption caused a crash, which prevented the attack from continuing. Your team takes note of all actions they perform, and at the end of the incident analysis, you send a message to the website lead to inform them of the issue, case number, and notes created by the team. The website lead has their team rebuild the system and validate that the attack no longer works. At the end of the incident, the CISO and CIO are informed of the issue.

Potential Assessment Considerations
• Does the organization have a response capability that has remote access to the organization’s systems and system components within 24 hours in place of physical access [a,b]?

Source: CMMC v2.13