NIST 800-171 Control 3.6.2: Incident Tracking and Reporting
Incident tracking and reporting is a critical control that ensures your organization captures, documents, and communicates security incidents to the right people—both internally and to external authorities. Without a formal tracking system, incidents slip through cracks, compliance obligations go unmet, and threat intelligence is lost. Control 3.6.2 requires you to establish processes that turn incident response from reactive chaos into documented accountability.
What this means
Control 3.6.2 mandates that your organization maintain a formal system to track all security incidents from detection through resolution. This includes documenting the incident details, impact assessment, and remediation steps, then reporting findings to designated internal officials and external authorities as required by law, regulation, or contractual obligation. The control emphasizes both the operational need to understand what happened and the compliance need to prove you reported it.
How to comply
- 1.Establish an incident tracking system (ticketing tool, log, or database) that captures incident details including date, time, description, affected systems, and severity classification
- 2.Define reporting thresholds and timelines for when incidents must be escalated to management, security teams, and external authorities (e.g., 72 hours for data breaches under GDPR)
- 3.Document all incident communications, including who was notified, when they were notified, and what information was shared
- 4.Create a formal incident response procedure that includes investigation, containment, eradication, and recovery steps—all logged in your tracking system
- 5.Designate responsible parties (incident response team, CISO, legal, executives) and ensure they receive timely notifications based on incident severity
- 6.Maintain audit trails showing that incidents were reported to external authorities when required (law enforcement, regulatory bodies, customers)
- 7.Review and update your incident tracking process annually to ensure it aligns with evolving threats and regulatory requirements
Evidence auditors look for
- Incident response policy that defines tracking requirements, reporting procedures, and responsible parties
- Completed incident tickets showing detection date, description, severity, investigation notes, and resolution status
- Email records or formal notification logs proving incidents were reported to internal stakeholders and external authorities within required timeframes
- Breach notification letters sent to affected customers or regulatory bodies (redacted as needed)
- Audit logs from your incident tracking system showing who accessed incidents and when changes were made
- Evidence of management review and sign-off on major incidents
- Training records showing incident response team members understand tracking and reporting requirements
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates incident logging and generates compliance-ready audit trails that prove timely reporting to internal and external authorities—eliminating manual spreadsheet tracking and reducing the risk of missed notification deadlines.
See how GRCWatch handles this control automatically
Start free trial