CMMC Practice IR.L2-3.6.2

Incident Reporting: Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

Monarch ISC Guidance

Your Incident Response Plan must include notification documentation, tracking and notification requirements. You should list how and where you will track the details of an incident, and who must be notified. This list should include internal and external authorities. Do not forget the requirement for DoD contractors to notify the DoD if you have a cybersecurity incident. You may also want to define who must approve communications with external parties such as the press, law enforcement, or customers. You may need to remind your staff during an incident that posting information to social media, or emailing family and friends details about the incident, is not permitted. If you have contractual agreement for notification or legal requirements, it is helpful to save the timeliness requirements and points of contact in your Incident Response Plan. You should also note any internal parties such as a board of directors who must be notified, and in what time frame. We recommend developing some templates for internal/external communications ahead of time.

Discussion From Source

NIST SP 800-171 R2 Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies. NIST SP 800-61 provides guidance on incident handling.

References