Did you know that your organization is required to have an incidence response plan and routinely exercise it? NIST 800-171 provides three incident response controls that organizations must comply with:

  • 3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
  • 3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
  • 3.6.3 Test the organizational incident response capability.

The majority of organizations failing assessments often overlook aspects of 3.6.2. Several reasons contribute to these oversights:

  • Perception of Incident Severity: Organizations may underestimate the importance of tracking and documenting incidents, especially if they believe the incident is minor or inconsequential. As a result, they may fail to document incidents that they consider insignificant, leading to gaps in incident reporting.
  • Lack of Incident Response Procedures: Some organizations may have incident response plans in place but lack clear procedures for tracking, documenting, and reporting incidents. Without well-defined processes, incidents may go undocumented or unreported, hindering the organization’s ability to analyze trends and improve its security posture.
  • Resource Constraints: Limited resources, including personnel and technology, can impede an organization’s ability to effectively track and document incidents. In busy or resource-constrained environments, incident documentation and reporting may be given priority over other pressing tasks. This may result in oversight or neglect of this control.
  • Misalignment of Priorities: Organizations may prioritize detection and containment over documentation and reporting. This is especially true if they perceive response as a reactive rather than proactive process. This mindset can lead to a reduced emphasis on the importance of incident documentation and reporting.
  • Lack of Awareness: Some organizations may simply be unaware of the requirement to track, document, and report incidents to designated officials and authorities. Without a clear understanding of their obligations in this regard, they may overlook or neglect this control.

For a Level 2 CMMC certification, organizations must develop a robust incident detection and response plan, including internal and external reporting points. Additionally, they must demonstrate periodic testing of the plan’s effectiveness.

For assistance with your CMMC efforts, contact DTC’s C3PAO team.