CMMC Practice IR.5.108

Establish and maintain a cyber incident response team that can investigate an issue physically or virtually at any location within 24 hours.


CMMC Version 1.02, pg. 161

Bold Coast Security Guidance

DEpending on the size of your organization, your Incident Response Team will likely have a very different look representing a cross-section of employees in your organization who will respond to an incident in a holistic manner. This guidance refers to a specialized skill set which is necessary to react quickly to an incident. If you have funded and manned a SOC, it is prudent to ensure the SOC members have the required training to carry out the appropriate response activities. If you are using a third party, validate their response capabilities in your organization. You can also directly enter into a contract with a information security firm who specializes in response and forensic activities. If your are attaining a Level 5 maturity certification, by now you have also investigated and likely purchased cyber-insurance. All major insurance companies have partnered with the top information security forensic firms to assist their clients.

Discussion From Source

DRAFT NIST SP 800-171B A cyber incident response team (CIRT) is a team of experts that assesses, documents, and responds to cyber incidents so that organizational systems can recover quickly and implement the necessary controls to avoid future incidents. CIRT personnel typically include forensic analysts, malicious code analysts, systems security engineers, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. The team members may or may not be full-time but need to be available to respond in the time period required. The size and specialties of the team are based on known and anticipated threats. The team is typically pre-equipped with the software and hardware (e.g., forensic tools) necessary for rapid identification, quarantine, mitigation, and recovery, and is familiar with how to preserve evidence and maintain chain of custody for law enforcement or counterintelligence uses. For some organizations the CIRT can be implemented as a cross organizational entity or as part of the Security Operations Center (SOC).