Incidents are documented and reported to the right officials.
What it actually means
When an incident happens, you document it and report it to the designated parties — internally and, where required, externally (including DoD reporting obligations for incidents involving CUI). Know who you must notify before you need to.
Pass or fail — an assessor needs a "yes" to each
- Incidents are tracked and documented.
- Internal + external reporting paths are defined (incl. DoD/CUI obligations).
- Designated officials are identified in advance.
What to have ready
- Incident log/tracking
- Reporting procedure naming internal + external recipients
- Awareness of DFARS/DoD incident reporting requirements
Where teams trip up
- No incident tracking
- Unaware of external/DoD reporting obligations
- No designated officials identified
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →