CMMC Practice IR.L2-3.6.1

Incident Handling: Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

Monarch ISC Guidance

This practice, and indeed this entire Domain, reflect the component parts of an Incident Response Plan (IRP) This is a different document from the security plans being created to meet Level 3 maturity. In fact your policies and security plans may simply reference the Incident Response Plan to avoid document conflicts. The IRP is a mix of your policies for responding to an incident, procedures for responding to specific incidents your organization is most likely to face, such as a phishing email, along with contact information. sample logs and templates, and instructions for tracking and recording incident. Think of your Incident Response Plan as a manual for responding to an incident that you can give to a new member of your incident response team, and it will provide them with references to all of the tools available, people inside and outside your organization who can help, and even templates for communicating with internal and external stakeholders. Your team should reference it during an incident, and it should be reviewed annually, at a minimum. The NIST 800-61 provides a common framework to approach incident response: Preparation -> Detection & Analysis -> Containment, Eradication & Recovery -> Post Incident Activity. The activities may loop back on each other during the course of an incident, and you always return to step one, preparation. The remaining practices in this Domain will help build your IRP, but keep this model in mind.

Discussion From Source

NIST SP 800-171 R2 Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive. As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required. NIST SP 800-61 provides guidance on incident handling. SP 800-86 and SP 800-101 provide guidance on integrating forensic techniques into incident response. SP 800-161 provides guidance on supply chain risk management.

References