Incident Response Information Collection CMMC

What information should you collect when a cybersecurity incident occurs? What are your CMMC Incident Response Requirements?

September 22, 2020
It is important for organization’s to collect information on cybersecurity incidents. Here is what they should be collecting.

Collect Contact Information for your Incident Report

You need to be collecting the contact information of incident reporters and handlers.
  • Name of the person who reported the incident
  • Name of the person(s) who is handling the incident
  • Role/Title of the person who reported the incident
  • Role/Title of the person(s) who is handling the incident
  • Department/Team of the person who reported the incident
  • Department/Team of the person who is handling the incident
  • Email and phone of the person who reported the incident
  • Email and phone of the person who is handling the incident
  • Location (Office) of the person who reported the incident
  • Location (Office) of the person who is handling the incident

Collect Important Details on the Incident

Cat in computer
  • Status change date/timestamps (including time zone): when the incident started, when the incident was discovered/detected, when the incident was reported, when the incident was resolved/ended, etc.
  • Physical location of the incident (e.g., office location, city, state)
  • Current status of the incident (e.g., ongoing attack)
  • Source/cause of the incident (if known), including hostnames and IP addresses
  • Description of the incident (e.g., how it was detected, what occurred)
  • Description of affected resources (e.g., networks, hosts, applications, data), including systems’ hostnames, IP addresses, and function
  • If known, incident category, vectors of attack associated with the incident, and indicators related to the incident (traffic patterns, registry keys, etc.)
  • Prioritization factors (functional impact, information impact, recoverability, etc.)
  • Mitigating factors (e.g., stolen laptop containing sensitive data was using full disk encryption)
  • Response actions performed (e.g., shut off host, disconnected host from network)
  • Other organizations contacted (e.g., software vendor)
  • Summary of the Incident Incident Handling Actions
  • List of evidence gathered
  • Cause of the Incident (e.g., misconfigured application, unpatched host)
  • Business Impact of the Incident
  • Cost of the Incident

Cybersecurity Maturity Model Certification (CMMC) Incident Response Requirements:

Companies with level 2 or higher CMMC requirements will need to have an incident response capability inplace. This includes being able to detect and respond to incidents, analyzing incidents, reporting incidents to relevant third parties (such as the DoD), testing incident response capabilities, and having plans in place to deal with common incidents.
If you would like more information on your cybersecurity maturity model certification (CMMC) related requirements reach out to us at info@cubcyber.com.
 

Discover Our NIST SP 800-171 Solutions:

 /assets/images/compliance_accelerator_white.png

Compliance Accelerator

For contractors seeking compliance
 /assets/images/quantum_assessor_white.png

Quantum Assessor

For IT service providers
 /assets/images/supply_chain_logo_white.png

Supply Chain Verifier

For contractors seeking to verify partner compliance