• Requirement

    a. Require personnel to report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and
    b. Report incident information to [Assignment: organization-defined authorities].

  • Discussion

    The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products.

More Info

  • Title

    Incident Reporting
  • Family

    Incident Response
  • Related NIST 800-53 ID


CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!