This blog is the fifth in a 15-part blog series, discussing each domain in Cybersecurity Maturity Model Certification (CMMC). In this blog, we will explore the CMMC domain, Incident Response.
The Incident Response (IR) domain will discuss how your organization responds to incidents within your organization and the need to set up an operational incident-handling capability.
We will be exploring Incident Response in the following manner:
Incident Response focuses on setting up incident handling, reporting, and response testing. Establishing systems that allow for incident management is important, and ensuring they stay up-to-date and robust will also be a part of this domain practice.
For CMMC 2.0, there are no Level 1 practices for the Incident Response domain. There are three practices for Level 2. For CMMC Level 3, the SC practices are yet to be determined.
We will break each of these down to get a better understanding of them:
Your organization needs to be prepared for everyday problems. The goal is to prevent them from happening, but it is inevitable; eventually, something does happen. But the ability of your organization to effectively handle such incidents is vital.
You must establish incident handling within your organization, including (but not limited to) preparation, detection, analysis, containment, recovery, and user response within the program you create. Incident Handling includes:
An effective incident handling response will include coordination among your organization, which consists of ALL departments.
As part of an effective Incident Response program, you must indulge in reporting, primarily focused on the user side. You must have employees in your organization who know how to track, document, and report incidents to designated officials both in and outside your organization. This process will include monitoring and documenting any security incidents within your organization, which will further include information that contains the status, details, and outcome of each incident. The information needs to be easily identifiable and reachable to the individuals it must be reported to, and for external purposes, this means contacting the proper authorities.
Once your organization has a proper Incident Response system, it is crucial to periodically test it to ensure its effectiveness. Incidents do not always happen, and it is better if they don’t, but that doesn’t mean you don’t test the capabilities you have in place to verify how they react when an incident occurs. Testing these capabilities will include:
Incident Response Testing will allow you to validate existing plans and identify potential vulnerabilities or deficiencies within your capabilities.
Incident Response cover incident handling, incident reporting, and Incident Response Testing practices. The focus has been on ensuring your organization, its personnel, and your systems are capable of responding to incidents quickly and effectively and understanding the need to test these capabilities consistently.
For CMMC Level 1, your organization will not have to do anything for this domain, as there are no practices for IR.
For CMMC Level 2, there are 3 practices.
Here is some suggestion on where to look for Incident Response within your organization:
For CMMC Level 3, the IR practices are yet to be determined.