CMMC Practice IR.5.106: In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
The security operations center (whether in-house or outsourced) must have the necessary forensic data to develop situational awareness across the organization’s infrastructure. One solution identifies and collects security relevant system events, data, or images using an agent on the system. The agent transfers the events in real-time over a secure channel to a protected network enclave. Other solutions require physical access to the machine from which the data is gathered.
Many individual system security tools such as anti-virus or endpoint detection and response (EDR) tools can create logs, access system information in real-time, or image memory for secure transfer to a central management server. These logs would allow a SOC to begin the investigation. The SOC should also consider software tools used to push software or patches to systems. This would provide an on-demand capability for the SOC to send a security application when needed for forensic data collection.