IR-6: Incident Reporting
Control Family:
CSF v1.1 References:
PF v1.0 References:
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- IR-6: Incident Reporting
Control Statement
- Require personnel to report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and
- Report incident information to [Assignment: organization-defined authorities].
Supplemental Guidance
The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products.
Control Enhancements
IR-6(1): Automated Reporting
Baseline(s):
- Moderate
- High
Report incidents using [Assignment: organization-defined automated mechanisms].
IR-6(2): Vulnerabilities Related to Incidents
Baseline(s):
Report system vulnerabilities associated with reported incidents to [Assignment: organization-defined personnel or roles].
IR-6(3): Supply Chain Coordination
Baseline(s):
- Moderate
- High
Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.