CMMC Practice IR.L2-3.6.2

Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

Bold Coast Security Guidance

Your Incident Response Plan must include notification documentation, tracking and notification requirements. You should list how and where you will track the details of an incident, and who must be notified. This list should include internal and external authorities. Do not forget the requirement for DoD contractors to notify the DoD if you have a cybersecurity incident. You may also want to define who must approve communications with external parties such as the press, law enforcement, or customers. You may need to remind your staff during an incident that posting information to social media, or emailing family and friends details about the incident, is not permitted. If you have contractual agreement for notification or legal requirements, it is helpful to save the timeliness requirements and points of contact in your Incident Response Plan. You should also note any internal parties such as a board of directors who must be notified, and in what time frame. We recommend developing some templates for internal/external communications ahead of time.
Security Catapult

Be prepared for CMMC

Our Q&A assessment tool is designed by security advisors for MSPs and DoD contractors of all sizes.

Try now for free

Understand your gaps
Security Catapult

Understand your gaps

See compliance gaps, compliance scores and proactive security tasks in a single interface.

Try now for free

Validate NIST SP 800-171
Security Catapult

Validate NIST SP 800-171

Based on your CMMC answers, we let you know where you stand on NIST.

Try now for free

Build a plan of action
Security Catapult

Build a plan of action

Track your burn down and stay on top of security needs.

Try now for free

Build your policy
Security Catapult

Build your policy

Say goodbye to maintaining a security policy. We do it for you.

Try now for free

Discussion From Source

DRAFT NIST SP 800-171 R2 Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling . Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies.

References