CCI-002664

Alert organization-defined personnel or roles when organization-defined compromise indicators generate the occurrence of a compromise or a potential compromise.

Implementation Guidance

The organization being inspected/assessed configures the information system to alert at a minimum, the ISSM and ISSO when real time intrusion detection and when there are threats identified by authoritative sources (e.g. CTOs) and IAW incident categories I, II, IV, & VII within CJCSM 6510.01B reflect the occurrence of a compromise or a potential compromise. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2664. DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. DoD has defined the compromise indicators as real time intrusion detection and when there are threats identified by authoritative sources (e.g. CTOs) and IAW incident categories I, II, IV, & VII within CJCSM 6510.01B.

Validation Procedures

The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to alert at a minimum, the ISSM and ISSO when real time intrusion detection and when there are threats identified by authoritative sources (e.g. CTOs) and IAW incident categories I, II, IV, & VII within CJCSM 6510.01B reflect the occurrence of a compromise or a potential compromise. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2664. DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. DoD has defined the compromise indicators as real time intrusion detection and when there are threats identified by authoritative sources (e.g. CTOs) and IAW incident categories I, II, IV, & VII within CJCSM 6510.01B.

Compelling Evidence

1.) Signed and dated system security plan defines indicators/thresholds that indicate compromise (or potential of compromise) of information system which will trigger alerts to be sent to authorized personnel (must document ISSM and ISSO). Must include real-time intrusion detection thresholds. 2.) Alert logs. 3.) List of personnel receiving alerts.

The controls below (if any) were marked by NIST as being related to CCI-002664.