GRCWatch
Sign inStart free trial

CMMC Level 2 IR.L2-3.6.2: Incident Reporting & Documentation

Incident reporting is your organization's safety valve for security breaches. CMMC Level 2 requires you to establish clear processes for detecting, documenting, and reporting incidents to both internal leadership and external authorities. Without structured incident tracking, you risk regulatory penalties, delayed response times, and loss of evidence.

What this means

This control requires your organization to implement formal procedures for identifying security incidents, documenting all relevant details, and reporting them to designated officials within your organization as well as relevant external authorities (such as law enforcement or federal agencies). The goal is to ensure incidents are tracked consistently, investigated promptly, and escalated appropriately based on severity and regulatory requirements.

How to comply

  1. 1.Define what constitutes a reportable incident (breach, unauthorized access, malware detection, etc.)
  2. 2.Establish a centralized incident tracking system with unique incident identifiers
  3. 3.Document incident details: discovery date/time, affected systems, scope, initial impact assessment
  4. 4.Create notification procedures specifying internal escalation paths and timelines
  5. 5.Identify external reporting requirements (law enforcement, regulatory bodies, customers)
  6. 6.Define incident classification levels and corresponding reporting timeframes
  7. 7.Implement audit logs capturing who reported incidents, when, and to whom
  8. 8.Train personnel on incident identification and reporting procedures
  9. 9.Maintain a searchable incident register for historical reference and trend analysis

Evidence auditors look for

  • Incident reporting policy document with escalation procedures and authority contacts
  • Incident tracking system (ticketing tool, spreadsheet, or specialized software)
  • Sample completed incident reports with timestamps and details
  • Communication logs showing incident notifications to internal stakeholders
  • External reporting records (law enforcement filings, regulatory disclosures)
  • Audit trail demonstrating incident documentation and status updates
  • Incident severity classification matrix with reporting timelines
  • Employee training records on incident reporting procedures
  • Metrics showing incident detection-to-reporting time

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates incident capture and escalation workflows, automatically logs all reports with timestamps and approvals, and maintains an auditable incident register—eliminating manual tracking and ensuring no incidents slip through reporting gaps.

See how GRCWatch handles this control automatically

Start free trial

Related controls

IR.L2-3.6.1 Incident DetectionIR.L2-3.6.3 Incident InvestigationAC.L2-3.1.1 Access Control PolicyAT.L2-3.2.1 Security Awareness and Training