CMMC Practice IR.2.097
Perform root cause analysis on incidents to determine underlying causes.
Bold Coast Security Guidance
Your root cause analysis should include incident team members, stakeholders, and leadership. There may be technical considerations, physical considerations, and also the human factor which requires Human Resources involvement. There are usually multiple failures or breakdowns which lead to high impact events, and learning from those failures is imperative.
In addition to conducting root cause analysis during your post-incident review, we suggest you check your incident log documentation or forensic logs to ensure you captured all events, review your incident response plan for its effectiveness in guiding the response effort, and create or modify any procedures for responding to a similar incident in the future.
CERT RMM V1.2
Post-incident review is a formal part of the incident closure process. The organization conducts a formal examination of the causes of the incident and the ways in which the organization responded to it, as well as the administrative, technical, and physical control weaknesses that may have allowed the incident to occur.
Post-incident review should include a significant root-cause analysis process. The organization should employ commonly available techniques (such as cause-and-effect diagrams) to perform root-cause analysis as a means of potentially preventing future incidents of similar type and impact. Considerations of other processes that may have caused or aided the incident should be given, particularly as they may exist in processes such as change management and configuration management.