Did you know that your organization is required to have an incidence response plan and routinely exercise it? NIST 800-171 provides three incident response controls that organizations must comply with:
- 3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
- 3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
- 3.6.3 Test the organizational incident response capability.
The majority of organizations failing assessments often overlook aspects of 3.6.2. Several reasons contribute to these oversights:
- Perception of Incident Severity: Organizations may underestimate the importance of tracking and documenting incidents, especially if they believe the incident is minor or inconsequential. As a result, they may fail to document incidents that they consider insignificant, leading to gaps in incident reporting.
- Lack of Incident Response Procedures: Some organizations may have incident response plans in place but lack clear procedures for tracking, documenting, and reporting incidents. Without well-defined processes, incidents may go undocumented or unreported, hindering the organization’s ability to analyze trends and improve its security posture.
- Resource Constraints: Limited resources, including personnel and technology, can impede an organization’s ability to effectively track and document incidents. In busy or resource-constrained environments, incident documentation and reporting may be given priority over other pressing tasks. This may result in oversight or neglect of this control.
- Misalignment of Priorities: Organizations may prioritize detection and containment over documentation and reporting. This is especially true if they perceive response as a reactive rather than proactive process. This mindset can lead to a reduced emphasis on the importance of incident documentation and reporting.
- Lack of Awareness: Some organizations may simply be unaware of the requirement to track, document, and report incidents to designated officials and authorities. Without a clear understanding of their obligations in this regard, they may overlook or neglect this control.
For a Level 2 CMMC certification, organizations must develop a robust incident detection and response plan, including internal and external reporting points. Additionally, they must demonstrate periodic testing of the plan’s effectiveness.