CMMC Requirement IR.L2-3.6.1 – Incident Handling: Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
The following provides a sample mapping between the Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more CMMC 2.0 Level 2 controls. A CMMC 2.0 Level 2 control can be related to multiple Config rules. This resource from CMU provides an example procedure for how to respond to information security incidents. This white paper is about tabletop exercises can be used to help cybersecurity teams develop tactical strategies for securing their systems. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This article outlines frameworks and steps a company can take to have an effective incident response plan. This is a self-paced online training course regarding incident response offered by CISA. How to Design a Cyber Incident Response Plan for Your Business This PowerPoint from Secureworks’ Security and Risk Consulting Incident Response (SRC-IR) Team discusses common tabletop exercise failures. Learn about Incident management process flow, best practices, and benefits. This governance document establishes Department information technology (IT) system incident response controls standards necessary to improve the efficiency of operation or security of Department information systems and comply with Federal laws, regulations, Executive Orders, Emergency Orders, Binding Operational Directives, and Department Administrative Communications System (ACS) directives and policies. This document from the IRS provides guidance for testing and exercising incident response capabilities. Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. Mobile device forensics is an evolving specialty in the field of digital forensics. This guide attempts to bridge the gap by providing an in-depth look into mobile devices and explaining the technologies involved and their relationship to forensic procedures. This document covers mobile devices with features beyond simple voice communication and text messaging capabilities. This guide also discusses procedures for the validation, preservation, acquisition, examination, analysis, and reporting of digital information. This publication provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. This NIST Special Publication focuses on providing plans and procedures to facilitate resuming normal business operations as quickly as possible during a cybersecurity event. This NIST Special Publication offers guidance for incident response by identifying best practices and other recommendations. This guide from NIST discusses how important forensics can be for an organization during a cyber incident. Learn how to manage a data breach with the 6 phases in the incident response plan. This article will point you to the core concepts within the SIRP so that you understand the purpose of this policy before writing your own. US-CERT resource that provides information on how to create, test and improve an Incident Management plan. In this video, Mike dives into CMMC 2.0 Control IR.L2-3.6.1. This control is all about being prepared, having a written and practiced plan in place so that your entire team knows exactly what to do when an attack happens. This YouTube video covers key components of an effective incident response plan.
Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive.
As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required.
NIST SP 800-61 provides guidance on incident handling. SP 800-86 and SP 800-101 provide guidance on integrating forensic techniques into incident response. SP 800-161 provides guidance on supply chain risk management.
Further Discussion
Incident handling capabilities prepare your organization to respond to incidents and may:
- identify people inside and outside your organization you may need to contact during an incident;
- establish a way to report incidents, such as an email address or a phone number;
- establish a system for tracking incidents; and
- determine a place and a way to store evidence of an incident.
Software and hardware may be required to analyze incidents when they occur. Incident prevention activities are also part of an incident-handling capability. The incident-handling team provides input for such things as risk assessments and training.
OSAs detect incidents using different indicators. Indicators may include:
- alerts from sensors or antivirus software;
- a filename that looks unusual; and
- log entries that raise concern.
After detecting an incident, an incident response team performs analysis. This requires some knowledge of normal network operations. The incident should be documented including all the log entries associated with the incident.
Containment of the incident is a critical step to stop the damage the incident is causing to your network. Containment activities should be based on previously defined organizational priorities and assessment of risk.
Recovery activities restore systems to pre-incident functionality and address its underlying causes. Organizations should use recovery activities as a means of improving their overall resilience to future attacks.