Level 2


Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive.  As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required.  [SP 800-6] provides guidance on incident handling. [SP 800-86] and [SP 800-0] provide guidance on integrating forensic techniques into incident response. [SP 800-6] provides guidance on supply chain risk management.

Priority: High  


Services Associated with AWS: 

  • AWS Security Hub
  • AWS Incident Manager

Services Associated with Azure: 

  • Azure Security Center
  • Azure Monitor
  • Azure Sentinel
  • Azure Active Directory (Azure AD)
  • Azure Backup and Azure Site Recovery
  • Azure Information Protection
  • Azure Governance and Azure Management Groups

Objective Evidence: 

  • Administrative: documented policies, standards & procedures 
  • Administrative: supporting documentation of role-based security training being performed
  •  Administrative: supporting documentation of professional competence by individual(s) performing incident response roles 
  • Administrative: Incident Response Plan (IRP) practices that cover all phases of incident response operations 

Possible Technology Considerations:

  • [not tied to a specific technology] 

What needs to be answered:

Is there a company incident response policy which specifically outlines requirements for handling of incidents involving CUI? Is an incident handling capability implemented for security incidents that include preparation, detection and analysis, containment, eradication, and recovery?

Checks for AWS

  • Operational Incident Handling Capability

    Description: This check ensures that organizations have established an operational incident-handling capability for their systems. The incident-handling capability includes activities such as preparation, detection, analysis, containment, recovery, and user response. It involves coordination among various organizational entities and the integration of incident response training into the roles and responsibilities of organizational personnel.

Checks for Azure

  • Azure Security Center Compliance Checks:
    Description: Validate that Azure Security Center is enabled and configured to monitor and detect security incidents across Azure resources. This check ensures that the necessary security controls are in place to detect and respond to incidents effectively.
  • Azure Monitor Compliance Checks:
    Description: Confirm that Azure Monitor is configured to collect relevant logs and events for incident detection and analysis. This check ensures that the organization is leveraging Azure Monitor's monitoring capabilities to identify and respond to security incidents promptly.
  • Azure Sentinel Compliance Checks:
    Description: Verify that Azure Sentinel is deployed and properly configured to collect and analyze security events from various sources. This check ensures that Azure Sentinel, a cloud-native SIEM solution, is effectively integrated into the incident handling process.
  • Azure Active Directory Compliance Checks:
    Description: Ensure that Azure Active Directory (Azure AD) is properly configured to enforce strong authentication and access control policies. This check focuses on securing user access to Azure resources and minimizing the risk of unauthorized incidents.
  • Azure Backup and Azure Site Recovery Compliance Checks:
    Description: Confirm that regular backups and replication of critical systems and data are configured using Azure Backup and Azure Site Recovery services. This check ensures that data can be restored in the event of an incident or outage, facilitating incident recovery.
  • Azure Policy Compliance Checks:
    Description: Validate that Azure Policy is used to enforce compliance with incident response requirements and standards. This check ensures that the organization has defined and implemented policies that align with incident handling best practices.
  • Azure Governance Compliance Checks:
    Description: Verify that Azure Management Groups and Azure governance policies are used to provide centralized oversight and control of incident handling activities across Azure resources. This check focuses on ensuring that incident response efforts are coordinated and consistent across the organization.

More Details: Incident response system in place for all security and IT related issues in conjunction with IT administration staff