03.06.05

Control Familly: Incident Response

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

  • SP 800-86 [36]

  • SP 800-137 [49]

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.06.05

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

  • IR-08

a. Develop an incident response plan that:

1. Provides the organization with a roadmap for implementing its incident response capability,

2. Describes the structure and organization of the incident response capability,

3. Provides a high-level approach for how the incident response capability fits into the overall organization,

4. Defines reportable incidents,

5. Addresses the sharing of incident information, and

6. Designates responsibilities to organizational entities, personnel, or roles.

b. Distribute copies of the incident response plan to designated incident response personnel (identified by name and/or by role) and organizational elements.

c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing.

d. Protect the incident response plan from unauthorized disclosure.

Discussion:

It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain.

Assessment Methods and Objectives

Examine [SELECT FROM: incident response policy; procedures addressing incident response planning; incident response plan; system security plan; records of incident response plan reviews and approvals; other relevant documents or records]

Interview [SELECT FROM: personnel with incident response planning responsibilities; personnel with information security responsibilities]

Test [SELECT FROM: incident response plan and related processes]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.06.05.a.01: an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability.

A.03.06.05.a.02: an incident response plan is developed that describes the structure and organization of the incident response capability.

A.03.06.05.a.03: an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization.

A.03.06.05.a.04: an incident response plan is developed that defines reportable incidents.

A.03.06.05.a.05: an incident response plan is developed that addresses the sharing of incident information.

A.03.06.05.a.06: an incident response plan is developed that designates responsibilities to organizational entities, personnel, or roles.

A.03.06.05.b[01]: copies of the incident response plan are distributed to designated incident response personnel (identified by name or by role).

A.03.06.05.b[02]: copies of the incident response plan are distributed to organizational elements.

A.03.06.05.c: the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing.

A.03.06.05.d: the incident response plan is protected from unauthorized disclosure.