CMMC Requirement IR.L3-3.6.2E – Cyber Incident Response Team: Establish and maintain a cyber incident response team that can be deployed by the organization within 24 hours.
Links to Publicly Available Resources – Coming Soon
Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. Mobile device forensics is an evolving specialty in the field of digital forensics. This guide attempts to bridge the gap by providing an in-depth look into mobile devices and explaining the technologies involved and their relationship to forensic procedures. This document covers mobile devices with features beyond simple voice communication and text messaging capabilities. This guide also discusses procedures for the validation, preservation, acquisition, examination, analysis, and reporting of digital information. This publication provides guidelines for establishing and participating in cyber threat information sharing relationships. This guidance helps organizations establish information sharing goals, identify cyber threat information sources, scope information sharing activities, develop rules that control the publication and distribution of threat information, engage with existing sharing communities, and make effective use of threat information in support of the organization’s overall cybersecurity practices. This NIST Special Publication focuses on providing plans and procedures to facilitate resuming normal business operations as quickly as possible during a cybersecurity event. This NIST Special Publication offers guidance for incident response by identifying best practices and other recommendations. This guide from NIST discusses how important forensics can be for an organization during a cyber incident.
A cyber incident response team (CIRT) is a team of experts that assesses, documents, and responds to cyber incidents so that organizational systems can recover quickly and implement the necessary controls to avoid future incidents. CIRT personnel include, for example, forensic analysts, malicious code analysts, systems security engineers, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. The team members may or may not be full-time but need to be available to respond in the time period required. The size and specialties of the team are based on known and anticipated threats. The team is typically pre-equipped with the software and hardware (e.g., forensic tools) necessary for rapid identification, quarantine, mitigation, and recovery and is familiar with how to preserve evidence and maintain chain of custody for law enforcement or counterintelligence uses. For some organizations, the CIRT can be implemented as a cross organizational entity or as part of the Security Operations Center (SOC).
[NIST SP 800-61] provides guidance on incident handling. [NIST SP 800-86] and [NIST SP 800-101] provide guidance on integrating forensic techniques into incident response. [NIST SP 800-150] provides guidance on cyber threat information sharing. [NIST SP 800-184] provides guidance on cybersecurity event recovery.
Further Discussion
The CIRT’s primary function is to handle information security incident management and response for the environments the SOC oversees. The primary goals of the CIRT are triage and initial response to an incident. They also communicate with all the proper people to ensure understanding of an incident and the response actions, including collection of forensic evidence, have been conveyed.
If and when an incident is detected by the organization’s SOC, the IR team is responsible for handling the incident and communicating what has happened to the appropriate people within the organization, as well to the authorities (as needed).
The deployment of a team does not necessarily mean they are “physically deployed.” Deployment may simply mean connecting to a remote system in a manner that is equivalent to being on the system’s keyboard. Remote access can provide just as much capability as local access in many cases.
Some situations require physical access. For instance, if the company has a physically isolated environment located at a remote location, a team must be physically present at the remote facility to perform the duties required.