NIST 800-171 | INCIDENT RESPONSE

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

Safeguarding Controlled Unclassified Information (CUI) when working with a federal customer is critical to federal agencies and can directly impact your business. NIST SP 800-171 provides recommended minimal controls for protecting CUI. The requirements apply to all of the non-federal systems that process, store, or transmit CUI, or provide security protection for such components.

Requirements are specifically broken out into "Families" with sub-requirements underneath each family.

Incident Response

3.6.1 Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.

Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems.

Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems.

Incident-related information can be obtained from a variety of sources

As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training.

Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources.

NIST Special Publication 800-61 provides guidance on incident handling.

NIST Special Publications 800-86 and 800-101 provide guidance on integrating forensic techniques into incident response

3.6.2 Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.

Tracking and documenting system security incidents includes

• Maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics

• Evaluating incident details, trends, and handling

Incident information can be obtained from a variety of sources including

• Incident reports

• Incident response teams

• Audit monitoring

• Network monitoring

• Physical access monitoring

• User/administrator reports

Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization.

Suspected security incidents may also be reported and include, for example, the receipt of suspicious email communications that can potentially contain malicious code.

NIST Special Publication 800-61 provides guidance on incident handling

3.6.3 Test the organizational incident response capability.

Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies.

Incident response testing includes

• The use of checklists

• Walk-through or tabletop exercises

• Simulations

• Comprehensive exercises

Incident response testing can also include:

• Determination of the effects on organizational operations

• Organizational assets

• Individuals due to incident response.

NIST Special Publication 800-84 provides guidance on testing programs for information technology capabilities.

For further Information and Demo, please contact us: