There are many challenges in achieving conformance to the Government’s requirement for the control of CUI, especially for the smaller organization. One of those challenges is the need for a plan to handle Incident Response (NIST SP 800-171, Section 3.6, Incident Response). In a small company there are no teams of qualified incident responders waiting to jump into action. Often, it seems like there is little that can be planned in advance concerning the possibility of some unknown security incident sometime in the future.

However, there are many elements that should be collected together into one reference document that will actually be helpful when a cyber security incident occurs. If your Incident Response Plan (IRP) can’t be helpful, then it is useless. Certainly it is possible to grab a template off the Internet and put in your company name and call that your plan, but that will not provide any assistance in a time of crisis.

When people a freaking out over a scary situation with the computer systems, that is not the time to be stopping to look up the tools you need, the steps to take or who needs to be informed. Doing some of that work in advance is the purpose of the Incident Response Plan. While, in a larger enterprise, it may be feasible to define the specific lines of action in response to each different type of incident, that level of planning is generally beyond the resources available to the small organization, but advance planning can still have value.

So, especially in a smaller organization, your Incident Response Plan may be less of a step-by-step cookbook of exactly what needs to happen and more of a reference document. Your IRP should be available to provide some of what you need, so you don’t have to hunt and guess when things are crazy. There is no specific format or a content checklist of what your IRP must look like, instead, you want to make your IRP so it will be useful to your specific organization in the event of an incident.

While a small organization’s IRP might be less tactical than the corresponding document in a larger organization, there are a few exceptions where the IRP does need to be explicitly procedural. An example of this is in the DoD required collection of evidence and reporting. DFARS 204.252-7012 has several clearly-defined actions that must occur in the event of a cybersecurity incident. Each of those requirements should be outlined in your IRP, with specific information concerning how they will be implemented within your organizations. For example, the DFARS says that you should “preserve and protect images of all known affected information systems”, but your IRP should expand on that to contain specific descriptions of the tools to be used and the processes to be followed to accomplish this goal within your organization.

The incident reporting required by DFARS 204.252-7012 is supposed to occur within 72 hours of the identification of an incident. Yet, performing that reporting requires a DoD medium assurance certificate. Purchasing this certificate involves a lengthy application process. It would be impossible to begin that process when a security incident occurs and make a report within the 72 hour requirement. To be prepared for an incident, the security certificate must be obtained in advance. Information about purchasing a certificate may be found at http://iase.disa.mil/pki/eca/Pages/index.aspx. The certificate is only good for a specific span of time, so it will be necessary to renew this certificate periodically to maintain the ability to comply with the reporting requirements. You can plan on these certificates costing around $100 per year. The process of being prepared for an incident, must include the purchase and maintenance of this certificate. The certificate is in a specific individual’s name, so consideration must be made if that individual leaves the organization.

Here are topics you ought to address in your IRP:

• Reporting of observations – How can the employees contact the persons responsible for incident response quickly and at all hours?

• Roles and Responsibilities – Who will be responsible for what aspects of the incident response process?

• Outline of IR procedure – Is there a specific form that guides incident response and allows documentation of the process?

• External contacts – How can local, state, federal and DoD authorities be contacted?

• Collection and Reporting Requirements – What are the required steps outlined in DFARS 204.252-7012?

• Topics required by NIST SP 800-171, Paragraph 3.6: detection, analysis, containment, recovery, and user response activities

Required Collecting & Reporting

In the event of a confirmed cyber incident, DFARS 252.204-7012 requires:

• Conduct review for evidence of compromise to identify computers, servers, specific data, user accounts or other resources involved.

• Make a report to https://dibnet.dod.mil within 72 hours

• Utilize the DoD Medium Assurance Certificate to report on dibnet

• Submit any isolated malicious software to DC3

• Preserve and protect forensic images of affected information systems data. Maintain this data for 90 days to allow DoD the opportunity to request the materials.

• Contact prime-contractors that may have passed down NIST SP 800-171 requirements, providing them with the DoD assigned incident report number.

For reference, NIST SP 800-171 has these requirements for incident response:

3.6 INCIDENT RESPONSE

3.6.1 Establish an operational incident-handling capability for organizational systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.2 Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.

3.6.3 Test the organizational incident response capability.

For more information about implementing NIST SP 800-171 and DFARS 204.252-7012 in your organization, go to http://nist-sp-800-171.com