NIST 800-53 REV 5 • INCIDENT RESPONSE

IR-6Incident Reporting

Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and Report incident information to {{ insert: param, ir-06_odp.02 }}.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products.

Practitioner Notes

Everyone in your organization needs to know how and where to report a suspected security incident. Reporting must happen quickly — delays give attackers more time to cause damage.

Example 1: Create a clearly visible 'Report a Security Incident' button on your company intranet that opens a simple form or sends an email to your security team distribution list. Train all employees during onboarding on how to use it. Set a policy requiring reports within one hour of discovery.

Example 2: If you are a defense contractor, configure your incident reporting process to meet DFARS 252.204-7012 requirements — report cyber incidents to DIBCNET within 72 hours. Create a checklist of required information for the report and keep it in your IR plan for quick reference during an active incident.

More Incident Response Controls

IR-1 Policy and Procedures IR-2 Incident Response Training IR-2(1) Simulated Events IR-2(2) Automated Training Environments