CMMC Level 2
Control 3.6.2
Track, Document, and Report Incidents
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
What This Means in Plain English
Every security incident must be tracked from detection through resolution. You must document what happened, how you responded, and report to the appropriate people internally (management, legal) and externally (DIBCAC, law enforcement) as required.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Incident tracking system in ComplianceArmor documenting all incidents from detection through closure
- Defined reporting chains for internal notification (management, legal, HR as applicable)
- External reporting procedures for DIBCAC, FBI IC3, and CISA as required by contract and regulation
- 72-hour DoD reporting requirement for CUI incidents documented in the IRP
- Post-incident reports generated for all significant incidents with lessons learned
Assessment Guidance
Assessors will review incident tracking records, verify that reporting procedures cover both internal and external requirements, check that DoD 72-hour reporting requirements are addressed, and confirm that incident documentation is complete and timely.
Common Implementation Gaps
- No incident tracking system or log
- Incidents handled informally without documentation
- No defined external reporting procedures
- Unaware of 72-hour DoD CUI incident reporting requirement
- No post-incident reviews or lessons learned
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | IR-6 |
| HIPAA | 164.308(a)(6)(ii) - Response and Reporting |
| PCI DSS | Req 12.10.1 - Create the incident response plan |
Need Help Implementing 3.6.2?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment