3.6.1

Requirement

Implement an incident-handling capability that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery.

Discussion

Incident-related information can be obtained from a variety of sources, including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. An effective incident handling capability involves coordination among many organizational entities, including mission and business owners, system owners, human resources offices, physical and personnel security offices, legal departments, operations personnel, and procurement offices.

NIST 800-171A r3 Assessment Guidance

Examine

[SELECT FROM: incident response policy and procedures; contingency planning policy and procedures; procedures for incident handling; procedures for incident response planning; incident response plan; contingency plan; records of incident response plan reviews and approvals; system security plan; other relevant documents or records]
Interview

[SELECT FROM: incident handling capability for the organization; incident response plan]
Test

[SELECT FROM: personnel with incident handling responsibilities; personnel with incident response planning responsibilities; personnel with contingency planning responsibilities; personnel with information security responsibilities]

ID	Assessment Objectives
A.03.06.01[01]	an incident-handling capability that is consistent with the incident response plan is implemented.
A.03.06.01[02]	the incident handling capability includes preparation.
A.03.06.01[03]	the incident handling capability includes detection and analysis.
A.03.06.01[04]	the incident handling capability includes containment.
A.03.06.01[05]	the incident handling capability includes eradication.
A.03.06.01[06]	the incident handling capability includes recovery.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!