IR.L2-3.6.2 — Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

What this control requires

Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

Source: CMMC L2 v2.13 IR.L2-3.6.2 / NIST SP 800-171 R2 3.6.2 (official control text).

Why this matters

When a security incident occurs — whether a phishing attack, data breach, ransomware infection, or unauthorized access — the organization must systematically record what happened, track its resolution, and notify the right people inside and outside the company. This control ensures incidents don't disappear into informal Slack threads or individual memory. Proper tracking enables pattern recognition (detecting coordinated attacks), meets legal obligations (breach notification laws, DoD reporting requirements), supports forensic investigation, and proves to auditors that the organization takes security events seriously. Without documented incident workflows, organizations lose visibility into threats, repeat preventable mistakes, and expose themselves to regulatory penalties.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, training certificate. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls