Incident management maturity and reporting

[HallerJ]

Section 2. Cyber Incident Reporting: Other posters have mentioned the lag frequently experienced by organizations in detecting incidents. Because of this problem, a part of the guidance should be assessment that focuses on contractors' process capability to detect and manage incidents. for example:

1. What technical and other capabilities do contractors have in place to detect incidents?
2. What steps do contractors take to govern and refine incident management and incident detection?
3. How does the contractor measure its own performance in detecting and managing incidents?

A focus on capability and maturity - in terms of processes within contractors - would allow the government to be more confident in the contactors' compliance with the guidance. This is also true of compliance with the standards of 800-171. Demonstrating that a contractor - or any organization - complies with something like two factor authentication - for example - is more meaningful if there is some evidence that the contractor has actually identified systems where CUI is resident. Towards efficiency and making good use of security resources, having some repeatable processes in place can also help contractors themselves only place controls on systems that do actually contain or transport CUI.

[wgaynor]

I agree with the IR program evaluation criteria above, and with the OMB guidance that these should be set by the Agencies. Id add that the guidance should deflect some of the criticism of the Government's potential use of reporting information by stating that achieving the benefits of sharing is the only objective of reporting. In particular in Section 2, add "identify the source of the incident", and remove " take other appropriate actions as necessary."