Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - IR.L2-3.6.2 – Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
Understanding the Requirement
This control within NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 requires an organization to implement a repeatable process that captures every incident from detection through closure, produces consistent documentation (incident reports), and ensures timely notification to the appropriate internal stakeholders and any external authorities required by contract or law. In practice you must be able to show that incidents are tracked, documented, and reported; that both the organizational officials and external authorities to be notified are identified in advance; and that evidence exists showing those parties were notified when incidents occur.
Technical Implementation
-
Deploy a central incident tracking system — Use a ticketing or incident response (IR) platform (e.g., ITSM system, SOAR, or a simple shared ticket queue) that assigns unique IDs, logs timestamps, records affected assets, captures actions taken, and stores attachments (screenshots, logs, exports). Configure required fields to align with your incident report template so every ticket contains minimum viable data for reporting and after-action review.
-
Create a standard incident report template and retention rules — Define required sections (summary, timeline, root cause, containment steps, eradication, recovery, impact, evidence inventory, and recommendations). Set retention and evidence-handling procedures (e.g., central encrypted repository, chain-of-custody notes) so reports and artifacts are preserved for compliance and potential external audit or legal requests.
-
Identify and document reporting authorities and internal escalation paths — Maintain an up-to-date contact list that names the organizational officials (CISO/IT manager, COO, contract manager) and external authorities (regulatory bodies, contracting officer, DoD point of contact where required). Include notification timelines (e.g., within 72 hours or per contract) and how to escalate if primary contacts are unavailable.
-
Automate notifications and initial triage — Integrate the tracking system with email, SMS, or collaboration tools so that opening or updating an incident ticket triggers alerts to the IR team and designated officials. Use simple playbooks for common incident types to ensure consistent first-response actions and consistent data collection for later reporting.
-
Log and evidence collection integration — Ensure your endpoints, network devices, and critical servers forward logs to a central log store or SIEM. Link log exports and forensic artifacts to the incident ticket so evidence is available when producing reports and responding to external inquiries.
-
Train and test the process — Run tabletop exercises and quarterly drills that exercise the full lifecycle: detection → ticket creation → containment → reporting to internal officials → external notification (simulated). Use lessons learned to update templates, contact lists, and automation.
Example in a Small or Medium Business
Acme Engineering, a 75-person subcontractor, discovers unusual outbound traffic from a design workstation. An analyst opens a ticket in the company ITSM tool, selects "security incident" and completes the standard fields (asset, indicators, initial actions). The ticket automatically notifies the IR lead, IT manager, and the contract manager by email. The IR team isolates the workstation, preserves volatile data into a secured network share, and attaches the exported logs to the ticket. Using the incident report template they draft a concise summary and timeline, record containment steps, and list evidence collected. The contract manager checks the subcontract and confirms a DoD notification is required, then forwards the report to the designated DoD point of contact within the required timeframe. After closure, Acme holds a lessons-learned meeting, updates the playbook, and pushes a mandatory short refresher to staff who handle incident reporting.
Summary
For SMBs, meeting IR.L2-3.6.2 is achievable by combining a clear policy (who to notify and when) with practical technical controls (a central tracking system, standardized report templates, automated notifications, and log/evidence integration). Designating officials, documenting authorities, and exercising the process closes the loop: incidents are tracked, documented, and reliably reported so you can meet contractual and legal obligations while improving containment and recovery over time.
