CMMC Practice IR.3.098

Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.


CMMC Version 1.02, pg. 151

Bold Coast Security Guidance

Your Incident Response Plan should note who is in charge of communications. This may be different individuals for internal and external parties. You may also want to define who must approve communications with external parties such as the press, law enforcement, or customers. You may need to remind your staff during an incident that posting information to social media, or emailing family and friends details about the incident, is not permitted. If you have contractual agreement for notification or legal requirements, it is helpful to save the timeliness requirements and points of contact in your Incident Response Plan. You should also note any internal parties such as a board of directors who must be notified, and in what time frame. We recommend developing some templates for internal/external communications ahead of time.

Discussion From Source

DRAFT NIST SP 800-171 R2 Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling . Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies.