CMMC v2.11 Practices

IR.L3-3.6.1e  

Reference: CMMC v2.11

Family: IR

Level Introduced: 3

Title: Security Operations Center

Practice:
Establish and maintain a security operations center capability that operates 24/7, with allowance for remote/on-call staff.

Further Discussion:
Security operations centers are created to monitor and respond to suspicious activities across an organization’s IT applications and infrastructure. A SOC may be implemented in a variety of physical, virtual, and geographic constructs. The organization may also opt to not hire their own staff but to engage a third-party external service provider to serve as their SOC.

The SOC is typically comprised of multiple levels of cybersecurity analysts. Each tier of cybersecurity analysts works on increasingly complex aspects of Incident Response. The SOC may also have dedicated cybersecurity engineers to support configuration and management of defensive cyber tools. The SOC may work with staff in IT operations who provide support to the SOC.

SOC capabilities run 24/7, and while staff may not always be performing tasks for the SOC, the capability alerts staff members and directs them to go to a facility or perform SOC actions from a remote location. Staff members should be scheduled or on call to ensure they are available when needed.

Example
You are the Chief Information Security Officer (CISO) of a medium-sized organization. To meet the goal of 24/7 SOC operation, you have decided to adjust the current SOC, which operates five days a week for 12 hours a day, by minimizing active staff members and hiring trusted expert consultants to have on call at all times (i.e., seven days a week, 24 hours a day) [a,b]. You design your SOC to be remotely accessible so your experts can access your environment when needed. You also decide to set up a very strong automated capability that is good at identifying questionable activities and alerting the appropriate staff. You create a policy stating that after an alert goes out, two members of the SOC team must remotely connect to the environment within 15 minutes to address the problem. All staff members also have regular working hours during which they perform other SOC activities, such as updating information to help the automated tool perform its functions [c].

Potential Assessment Considerations
• How does the organization enable 24/7 SOC capabilities? Does the organization have people in seats 24/7 or on-call members? If on-call members are used, what are the trigger and alerting mechanisms that allow for 24/7 coverage [a,b]?
• Does the organization have sufficient trained full-time equivalent staff to enable 24/7 SOC services [a,b]?

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.11