Incident¶
Quick Summary
Tracks security incidents and service outages from detection through resolution. Incidents carry severity levels, involve the Incident Response Team, and produce the audit trail required by FedRAMP, NIST SP 800-171, and DFARS.
An incident ticket is created when a security event, service outage, or other disruption requires coordinated investigation and response. Incidents may be raised manually by a team member or escalated from an alert ticket after triage confirms a genuine event.
The ticket captures detection details, affected systems, severity, and whether sensitive data (such as CUI) is potentially involved. All actions taken during containment, eradication, and recovery are documented directly on the ticket through notes and attachments, creating the authoritative record for post-incident review and regulatory reporting.
Compliance Context¶
Incident tickets support overlapping requirements across FedRAMP and CMMC:
| Control Area | Requirement |
|---|---|
| Incident Handling (FedRAMP IR-4) | Implement an incident handling capability that includes preparation, detection, analysis, containment, eradication, and recovery |
| Incident Reporting (FedRAMP IR-6) | Report incidents to appropriate authorities within required timeframes |
| Incident Monitoring (FedRAMP IR-5) | Track and document incidents on an ongoing basis |
| Incident Response (CMMC IR.L2-3.6.1) | Establish operational incident-handling capabilities |
| Incident Reporting (CMMC IR.L2-3.6.2) | Track, document, and report incidents to designated officials |
| CUI Incident Reporting (DFARS 252.204-7012) | Report cyber incidents involving CUI to DoD within 72 hours |
See the Incident Response playbook for detailed procedures.