What information should you collect when a cybersecurity incident occurs? What are your CMMC Incident Response Requirements?

You need to be collecting the contact information of incident reporters and handlers.

• Name of the person who reported the incident
• Name of the person(s) who is handling the incident
• Role/Title of the person who reported the incident
• Role/Title of the person(s) who is handling the incident
• Department/Team of the person who reported the incident
• Department/Team of the person who is handling the incident
• Email and phone of the person who reported the incident
• Email and phone of the person who is handling the incident
• Location (Office) of the person who reported the incident
• Location (Office) of the person who is handling the incident

• Status change date/timestamps (including time zone): when the incident started, when the incident was discovered/detected, when the incident was reported, when the incident was resolved/ended, etc.
• Physical location of the incident (e.g., office location, city, state)
• Current status of the incident (e.g., ongoing attack)
• Source/cause of the incident (if known), including hostnames and IP addresses
• Description of the incident (e.g., how it was detected, what occurred)
• Description of affected resources (e.g., networks, hosts, applications, data), including systems’ hostnames, IP addresses, and function
• If known, incident category, vectors of attack associated with the incident, and indicators related to the incident (traffic patterns, registry keys, etc.)
• Prioritization factors (functional impact, information impact, recoverability, etc.)
• Mitigating factors (e.g., stolen laptop containing sensitive data was using full disk encryption)
• Response actions performed (e.g., shut off host, disconnected host from network)
• Other organizations contacted (e.g., software vendor)
• Summary of the Incident Incident Handling Actions
• List of evidence gathered
• Cause of the Incident (e.g., misconfigured application, unpatched host)
• Business Impact of the Incident
• Cost of the Incident

Companies with level 2 or higher CMMC requirements will need to have an incident response capability inplace. This includes being able to detect and respond to incidents, analyzing incidents, reporting incidents to relevant third parties (such as the DoD), testing incident response capabilities, and having plans in place to deal with common incidents.

If you would like more information on your cybersecurity maturity model certification (CMMC) related requirements reach out to us at info@lakeridge.io.