Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
(a) Requires personnel to report suspected security incidents to the organizational incident response capability within [FedRAMP Assignment: (L)(M)(H) US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)]; and
(b) Reports security incident information to [Assignment: organization-defined authorities].
Additional FedRAMP Requirements and Guidance:
(L)(M)(H) Reports security incident information according to FedRAMP Incident Communications Procedure.
NIST 800-53 (r4) Supplemental Guidance:
The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling. Related controls: IR-4, IR-5, IR-8.
References: None.
NIST 800-53 (r5) Discussion:
The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products.
38North Guidance:
Meets Minimum Requirement:
Reporting within the organization: The organization has defined and documented the entity to which users should report suspected and potential security incidents, and within what time frame (Note: US CERT requires within one hour of being identified).
Reporting to external entities: The organization should define any external agencies or authorities that should be alerted in the event of a potential or suspected security incident, and develop procedures for reporting security incident information to US-CERT and other external agencies or authorities within the necessary timeframes. (Note: US CERT requires within one hour of being identified).
Non-privileged users, and personnel with incident response responsibilities, are trained in their incident response reporting duties. This can be covered in security awareness training, a company handbook, company policies, or incident response training exercises.
If an incident has occurred, the organization has followed their incident reporting procedures to the Authorizing Official, FedRAMP, or other entities.
Best Practice:
US CERT Incident Notification Guidelines: "Agencies must report information security incidents, where the confidentiality, integrity, or availability of a federal information system of a civilian Executive Branch agency is potentially compromised, to the CISA/US-CERT with the required data elements, as well as any other available information, within one hour of being identified by the agency’s top-level Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or information technology department."
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Incident response policy/procedures indicating how, to whom, and within what time frame should users report incidents.
Incident response plan or procedures which include steps for reporting incidents to US-CERT when required, and indicating who is responsible for reporting incidents to US-CERT.
Incident response information for previous security incidents, such as tickets or incident response forms, showing that external agencies and/or authorities were notified as required.
Training provided to general users, and those with incident response responsibility, identifying their reporting requirements.
CSP Implementation Tips:
Amazon Web Services (AWS): AWS customers are responsible for reporting incidents for customer storage, virtual machines, and applications unless caused by AWS or an incident is the result of AWS action. AWS customers are responsible for providing a point of contact and escalation plan to AWS in order to facilitate ongoing incident communications. AWS customers should work with AWS to develop an agreed upon reporting process and method to receive notification of security incidents involving the potential breach of customer data.
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse