03.06.02 — (a) Track and document system security incidents. (b) Report suspected incidents to the organizational incident response capability within {{ insert: param, A.03.06.02.ODP.01 }}. (c) Report incident information to {{ insert: param, A.03.06.02.ODP.02 }}. (d) Provide an incident response support resource that offers advice and assistance to system users on handling and reporting incidents.

What this control requires

(a) Track and document system security incidents. (b) Report suspected incidents to the organizational incident response capability within {{ insert: param, A.03.06.02.ODP.01 }}. (c) Report incident information to {{ insert: param, A.03.06.02.ODP.02 }}. (d) Provide an incident response support resource that offers advice and assistance to system users on handling and reporting incidents.

Source: NIST SP 800-171 R3 §03.06.02 (official control text).

Why this matters

Security incidents — from phishing attempts to data breaches — happen to every organization. This control ensures your team systematically tracks what happened, escalates threats quickly, reports to authorities when required, and gives employees a clear place to get help. Without formal incident tracking, you lose forensic detail, miss attack patterns, and can't prove compliance when auditors or law enforcement ask what you knew and when. Documenting incidents also feeds risk assessments and shows leadership where to invest in defenses. The support resource ensures confused users don't ignore suspicious activity or handle breaches incorrectly.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls