IR 6 INCIDENT REPORTING - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control:

• a. Require personnel to report suspected incidents to the organizational incident response capability within [ Assignment: organization-defined time period ]; and
• b. Report incident information to [ Assignment: organization-defined authorities ].

Discussion: The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products.

Related Controls: CM-6, CP-2, IR-4, IR-5, IR-8, IR-9.

Control Enhancements:

• (1) INCIDENT REPORTING | AUTOMATED REPORTING
  Report incidents using [ Assignment: organization-defined automated mechanisms ].

  Discussion: The recipients of incident reports are specified in IR-6b. Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs.

  Related Controls: IR-7.

• (2) INCIDENT REPORTING | VULNERABILITIES RELATED TO INCIDENTS
  Report system vulnerabilities associated with reported incidents to [ Assignment: organization-defined personnel or roles ].

  Discussion: Reported incidents that uncover system vulnerabilities are analyzed by organizational personnel including system owners, mission and business owners, senior agency information security officers, senior agency officials for privacy, authorizing officials, and the risk executive (function). The analysis can serve to prioritize and initiate mitigation actions to address the discovered system vulnerability.

  Related Controls: None.

• (3) INCIDENT REPORTING | SUPPLY CHAIN COORDINATION
  Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.

  Discussion: Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident.

  Related Controls: SR-8.

References: [FASC18], [41 CFR 201], [USCERT IR], [SP 800-61].