CMMC Practice IR.5.102

Use a combination of manual and automated, real-time responses to anomalous activities that match incident patterns.


CMMC Version 1.02, pg. 160

Bold Coast Security Guidance

You may have already defined your manual processes in your Incident Response Plan procedures for specific events. This practice adds the mix of automated scripts which can take immediate actions when certain thresholds are met. These specific scripts should always be documented for future reference and reviewed as part of a post-incident review, if they worked or did not work. Many cloud based solutions currently have options for automated response actions available and ready to be turned on. BE CAREFUL you do not inadvertently cause your own denial of service attack against yourself!

Discussion From Source

CMMC Response activities are necessary because the defenders of an organization’s information technology tend to be at a disadvantage compared to the attacker. Defenders must maintain awareness of the latest vulnerabilities, be aware of the vulnerabilities in the organization, have the vulnerabilities remediated, and respond if an attacker finds a vulnerability before it is remediated. Once a vulnerability is discovered, the attacker tends to operates faster than a defender can match. To reduce the time to mitigate an organization should have plans in place to mitigate an attack. Plans must be comprehensive of manual and automated responses.