IR.4.101 Establish and maintain a security operations center capability that facilitates a 24/7 response capability.

CMMC Practice IR.4.101: Establish and maintain a security operations center capability that facilitates a 24/7 response capability.

Links to Publicly Available Resources

CMMC CLARIFICATION (Ref CMMC – Appendix B)

As an organization matures it should dedicate resources to provide ongoing situational awareness. A security operations center (SOC) provides awareness through the ongoing collection of logs from the organization’s various defensive capabilities on its network and endpoints. The SOC processes the logs and any associated alerts in order to quickly identify and remediate threats before more damage is caused. Thus, ongoing monitoring is key to an effective cyber posture. In addition to technology a SOC must be staffed by the appropriate personnel to ensure data is collected, analyzed, and investigated.

A SOC might be a physical facility, an organizational construct, or a managed service. Regardless of the SOC organization, it must enable a 24 hours a day, seven days a week response capability. An organization can determine how best to staff and create the response capability; 24/7 on-site staffing may not be required.