NIST SP 800-171 Rev 2 practice 3.6.2 requires organizations to track, document, and report incidents affecting systems that process, store, or transmit Controlled Unclassified Information (CUI). Tracking means maintaining a record of each incident from detection through closure, capturing key facts such as timeline, affected assets, and response actions. Documentation must be detailed enough to support post-incident analysis, legal proceedings, and future prevention. Reporting obligations extend to both internal officials—such as the CISO, legal counsel, or senior leadership—and external authorities, which for defense contractors typically include the DoD Cyber Crime Center (DC3), US-CERT, and the cognizant Contracting Officer. The practice operationalizes the communication and accountability requirements that complement the incident-handling capability established by IR-L2-3.6.1.
Where it stops · what it isn't
- —This practice does not define how incidents are detected or initially triaged; that is covered by IR-L2-3.6.1 and SI domain controls.
- —This practice does not mandate specific technical formats for incident logs beyond what is needed to satisfy reporting obligations; format decisions are implementation-specific.
- —This practice does not govern the preservation or chain-of-custody requirements for digital forensic evidence, which falls under legal and investigative guidance.
- —This practice does not dictate the specific content of DoD contract clauses (e.g., DFARS 252.204-7012) but must be implemented in a manner consistent with those contractual obligations.
- —This practice does not cover the recovery or lessons-learned phases of incident response, which are addressed separately under IR-L2-3.6.1 and organizational procedures.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/incident-response