Applicable Requirement: IR.L2-3.6.1 — “Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.”

Validation Expectation: For this practice, the CCA must confirm that the OSC:

Tracks incidents consistently,

Documents incident details (who, what, when, where, and how), and

Maintains incident records to support analysis and corrective action.

Why A is Correct: Tracking and documenting incidents demonstrates that the OSC has an operational incident-handling capability and provides objective evidence of detection, response, and lessons learned.

Why Other Options Are Insufficient:

B (Sources configured/tuned): Helpful for detection, but not sufficient by itself.

C (Law enforcement notified): This may occur in certain cases, but it is not required by CMMC Level 2.

D (Forensics): Deep forensic investigation may be useful, but CMMC requires incident response capability, not mandatory forensic-level activities.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — IR.L2-3.6.1

NIST SP 800-171A — IR.L2-3.6.1 Assessment Objectives (tracking, documenting, handling incidents)

CMMC Assessment Guide – Level 2 — Incident Reporting

===========