03.06.02: Incident Monitoring, Reporting, and Response Assistance
Control Familly: Incident Response
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-61 [47]
SP 800-86 [36]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.06.02
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
IR-05
IR-06
IR-07
a. Track and document system security incidents.
b. Report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period].
c. Report incident information to [Assignment: organization-defined authorities].
d. Provide an incident response support resource that offers advice and assistance to system users on handling and reporting incidents.
Discussion:
Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from many sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. 03.06.01 provides information on the types of incidents that are appropriate for monitoring. The types of incidents reported, the content and timeliness of the reports, and the reporting authorities reflect applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines. Incident information informs risk assessments, the effectiveness of security assessments, the security requirements for acquisitions, and the selection criteria for technology products. Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensic services or consumer redress services, when required.
Assessment Methods and Objectives
Examine [SELECT FROM: incident response policy and procedures; procedures for incident monitoring; procedures for incident response assistance; incident response records and documentation; incident response plan; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with incident monitoring responsibilities; personnel with incident response assistance and support responsibilities; personnel with information security responsibilities]
Test [SELECT FROM: processes for incident reporting; incident monitoring capability; mechanisms for supporting or implementing the tracking and documenting of system security incidents; mechanisms for supporting or implementing incident reporting; mechanisms for supporting or implementing incident response assistance; processes for incident response assistance]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.06.02.ODP[01]: the time period to report suspected incidents to the organizational incident response capability is defined.
A.03.06.02.ODP[02]: authorities to whom incident information is to be reported are defined.
A.03.06.02.a[01]: system security incidents are tracked.
A.03.06.02.a[02]: system security incidents are documented.
A.03.06.02.b: suspected incidents are reported to the organizational incident response capability within <A.03.06.02.ODP[01]: time period>.
A.03.06.02.c: incident information is reported to <A.03.06.02.ODP[02]: authorities>.
A.03.06.02.d: an incident response support resource that offers advice and assistance to system users on handling and reporting incidents is provided.