NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
AC-3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
Control Family: Incident Response
Control Type: Basic
SPRS Value: 5
SPRS Supplemental Guidance:
N/A
CMMC Level(s):
IR.L2-3.6.2
Top Ten Failed Requirement:
No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
IR-2
IR-4
IR-5
IR-6
IR-7
NIST Supplemental Guidance:
[SP 800-61]
Discussion:
Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports.
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2
Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies.
[SP 800-61] provides guidance on incident handling.
Upon assessment, assessors must determine if-
3.6.2[a] incidents are tracked.
3.6.2[b] incidents are documented.
3.6.2[c] authorities to whom incidents are to be reported are identified.
3.6.2[d] organizational officials to whom incidents are to be reported are identified.
3.6.2[e] identified authorities are notified of incidents.
3.6.2[f] identified organizational officials are notified of incidents
Assessors are instructed to-
Examine: [SELECT FROM: Incident response policy; procedures addressing incident monitoring; incident response records and documentation; procedures addressing incident reporting; incident reporting records and documentation; incident response plan; system security plan; other relevant documents or records].
Interview: [SELECT FROM: Personnel with incident monitoring responsibilities; personnel with incident reporting responsibilities; personnel who have or should have reported incidents; personnel (authorities) to whom incident information is to be reported; personnel with information security responsibilities].
Test: [SELECT FROM: Incident monitoring capability for the organization; mechanisms supporting or implementing tracking and documenting of system security incidents; organizational processes for incident reporting; mechanisms supporting or implementing incident reporting].