NIST 800-171 • LEVEL 2 • INCIDENT RESPONSE
3.6.2 — Incident Monitoring, Reporting, and Response Assistance
Track and document system security incidents. Report suspected incidents to the organizational incident response capability within {{ insert: param, A.03.06.02.ODP.01 }}. Report incident information to {{ insert: param, A.03.06.02.ODP.02 }}. Provide an incident response support resource that offers advice and assistance to system users on handling and reporting incidents.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- system security incidents are tracked.
- system security incidents are documented.
- suspected incidents are reported to the organizational incident response capability within {{ insert: param, A.03.06.02.ODP.01 }}.
- incident information is reported to {{ insert: param, A.03.06.02.ODP.02 }}.
- an incident response support resource that offers advice and assistance to system users on handling and reporting incidents is provided.
Practitioner Notes
When a security incident happens, you need to track it from start to finish — what happened, when, what systems were affected, who responded, and what was the outcome. You also need to report incidents up the chain promptly, both internally and to external parties if required (for CMMC, that includes DIBCAC).
Example 1: Use a ticketing system (Jira, ServiceNow, or even a dedicated tool like TheHive) to log every security incident. Create an "Incident" ticket type with required fields: date/time detected, affected systems, severity level, current status, and assigned responder. For CMMC compliance, document that cyber incidents involving CUI must be reported to DIBCAC at https://dibnet.dod.mil within 72 hours of discovery.
Example 2: Stand up an internal reporting channel — a dedicated email alias like security@yourcompany.com and a page on your intranet with simple instructions for employees: "If you see something suspicious, email security@ or call ext. 5555." In M365, you can create a shared mailbox under Admin Center > Teams & Groups > Shared Mailboxes and grant access to your IR team. This provides the "incident response support resource" the practice requires.