Five objectives of the CMMC Incident Response Domain

By Ken Michael

One of the priority components of any business is an incident response plan (IRP). While this is common in larger companies, it is now being required for organizations of every size that are seeking Cybersecurity Maturity Model Certification (CMMC) in order to contract with the United States Department of Defense (DoD), the National Aeronautics and Space Administration (NASA), and other government organizations.

In this blog, Dox Electronics takes a closer look at incident response and how it relates to the CMMC. Here are some of the major requirements of the CMMC and what businesses need to know and implement now.

Incident Response

The CMMC has been broken down into appendices that detail what is required. One of those is B.9, Incident Response. This section outlines a cybersecurity event as “Any observable occurrence that affects organizational assets and has the potential to disrupt operations. A cybersecurity incident is an event or series of events that significantly affects or could significantly affect organizational assets and services and requires the organization (and possibly other stakeholders) to respond in some way to prevent or limit adverse impacts.”


The CMMC is broken into five levels of certification with Level 1 requiring the fewest cybersecurity standards and Level 5 requiring the highest standards. Within the incident response domain of the CMMC are five objectives. Those objectives are as follows:
  • Plan Incident Response
  • Detect and Report Events
  • Develop and Implement a Response to a Declared Incident
  • Perform Post Incident Reviews
  • Test Incident Response
Under each of the five objectives are practices for incident response at each level of the CMMC. As the levels progress upward, the practices required for incident response include those of the lower levels along with additional practices.

Plan Incident Response

The best response to an incident is often dependent on proper advance planning. This means establishing, defining, and staffing incident management capabilities within your organization and outlining what actions are to be taken to prevent and/or contain the impact of an incident.

The nature of an incident will determine the range, scope, and breadth of your organization’s response. For example, an attempted attack that is easily identified and addressed before any damage can be done may simply require an email to users warning them to avoid opening specific types of email messages. With more serious events, your company may need to implement service continuity plans that require relocation of services and operations to an off-site provider such as in the event of a natural disaster. In other words, your business will need to be prepared to address a wide range of potential events as part of its incident response plan.

At Level 1, there are currently no practices for the Incident Response domain. At Level 2 of the CMMC, organizations must “establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recover, and user response activities.”

In other words, you must have an incident response plan in place prior to achieving CMMC. The incident response plan must include audit monitoring, network monitoring, physical access monitoring, user and administrator reports and reported supply chain events. These are all achievable by employing security incident and event management (SIEM) software and the implementation of a security operation center (SOC). Internet technology (IT) service providers such as Dox Electronics can assist businesses with identifying and employing both SIEM and SOC to meet CMMC incident response requirements.

Furthermore the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61 provides guidance on incident handling while NIST SP 800-86 and NIST SP 800-101 provide guidance on integrating forensic techniques into your incident response. Guidance on supply chain risk management is also outlined in NIST SP 800-161. Incident handling should include activities that prepare your organization for its response to incidents including:
  • Identifying people inside and outside your organization you may need to contact during an incident.
  • Establishing a way to report incidents such as an email address or phone number people can contact.
  • Establishing a system for tracking incidents.
  • Determining a place and means of storing evidence of an incident.
Dox Electronics can recommend software and hardware to analyze incidents as they occur. Your business should also have an incident handling team available to address incidents when they do happen. All staff should be trained in incident prevention on an ongoing basis from onboarding to regular training sessions.

Detect and Report Events

The CMMC requires that every network be able to detect all observable occurrences. This can be accomplished in several ways such as notification of breakdowns in processes or loss in productivity, alarms and alerts, notifications from other organizations, and through regular audits and assessments.

In addition to detecting incidents, your organization will also need to be able to manage incidents with containment systems that stop damage to your network and assets. This may include disconnecting a system from the internet to changing firewall settings to stop an attack.

Recovery activities should also be included to address the damage caused by incidents. This may include restoring backup data and reinstalling software. There also needs to be user responses including performing a lessons-learned analysis, deciding if police should be contacted, and updating policies and plans as part of the post-incident analysis.

Develop and Implement a Response to a Declared Incident

After an event is detected, your organization will need to determine if it will affect your assets or has the potential to disrupt operations. Event reports will need to be properly triaged to analyze and resolve the event.
Through triage, your incident response team will be able to determine whether the event was physical, technical, or both. The team will also determine whether the “event correlates to other events and in what order events should be addressed or assigned for incident declaration, handling, and response.” Finally, triage will also help you determine if the event needs to be escalated to other organizations such as the Department of Defense, local authorities, or the Federal Bureau of Investigation (FBI) for additional analysis and resolution.

By having incident response procedures in a written plan ahead of time, your company will have a guide for responding to all incidents. Responses should be set up to “prevent or contain the impact of an incident while it is occurring or shortly after.” Response actions might include:
  • Stopping or containing the damage (i.e. taking hardware or systems offline).
  • Communicating to users (i.e. advising them not to open specific types of emails).
  • Communicating to stakeholders (i.e. notifying corporate management of incidents).
  • Implementing controls (i.e. updating access control lists and employing principle of least privilege).

Perform Post Incident Reviews

Post-incident review is a formal step in the incident closure process. Your business will need to conduct a formal examination of the cause(s) of the incident, ways it responded, and weaknesses or shortfalls that may have contributed to the incident occurring. These flaws may have occurred at the administrative, technical, or physical control levels.

Following an incident, your organization will need to analyze the events to determine what to do post-incident to shore up holes and address any losses. Performing a root-cause analysis can prevent similar incidents from occurring in the future. Some of the options include utilizing cause and effect diagrams and reviewing other processes that may have caused or aided the incident (i.e. change or configuration management).

After incidents are resolved, conduct reviews and identify lessons learned. Make improvements based on the outcome of your internal analysis. This may include updating your incident response plan or controls at various levels from administrative to physical security.

Additionally, at CMMC Level 3 and higher, your company will need to track and document system security incidents including maintenance of records about each incident, its status, and other pertinent information. This may include information about forensics, evaluation of incident details, attack trends, and how each incident was handled internally. This incident information can come from numerous sources from auditing and monitoring software to your incident response team. Suspected security incidents may also be reported to the designated authorities depending on local and federal laws, executive orders, contract requirements, regulations, policies, and other directives.

At Level 4 of CMMC, knowledge of attacker tactics, techniques, and procedures (TTPs) should also be used in incident response planning and execution. Such information can also come from third-party intelligence organizations, public sources, and government organizations.

Test Incident Response

All organizations should test their incident response capabilities in advance. This will determine how effective your response to an incident is and if there are potential deficiencies in your incident response plan that can be addressed up front.

Incident response testing can include some or all of the following:
  • Checklists
  • Tabletop or walk-through exercises with staff
  • Simulations (parallel and full interruption of services)
  • Comprehension exercises
Testing of your company’s incident response plan should also include a determination of the effects on organizational operations from the impact on assets to a reduction in productivity. Such testing validates your existing incident response plan as well as identify security gaps. Tests should work toward addressing questions such as what happens during an incident, who is responsible for incident management, what tasks are assigned within the IT organization, what support is needed from outside agencies, how resources are obtained, etc.

“Any negative impacts to the normal day-to-day mission when responding to an incident should also be identified and documented,” according to the CMMC appendices on incident response.

Ultimately, incident response is a complete, multi-tiered process to reduce the risks and manage the consequences of security breaches and cyberattacks. The majority of the process consists of identification, containment, eradication, and recovery of any incident. Each organization should have an identified central hub for documenting and storing incident information from identification to response.

For more information about incident response related to CMMC or developing a strong incident response plan for your business, contact Dox Electronics at (585) 473-7766. The call and initial consultation are free and there’s no obligation.
Share This Posting
Copyright ©   DoxWeb Design & SEO by Scriptable Solutions