CMMC Practice IR.3.098
Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
Bold Coast Security Guidance
Your Incident Response Plan should note who is in charge of communications. This may be different individuals for internal and external parties.
You may also want to define who must approve communications with external parties such as the press, law enforcement, or customers. You may need to remind your staff during an incident that posting information to social media, or emailing family and friends details about the incident, is not permitted.
If you have contractual agreement for notification or legal requirements, it is helpful to save the timeliness requirements and points of contact in your Incident Response Plan. You should also note any internal parties such as a board of directors who must be notified, and in what time frame.
We recommend developing some templates for internal/external communications ahead of time.
DRAFT NIST SP 800-171 R2
Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for
forensics, evaluating incident details, trends, and handling . Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit
monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an
organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting
authorities reflect applicable laws, Executive Orders, directives, regulations, and policies.