DE.AE-06 Incident Declaration - NIST CSF 2.0 Checklist

DE.AE-06 requires organizations to information on adverse events is provided to authorized staff and tools for further action. This NIST CSF 2.0 control falls under the Detect (DE) function and the Adverse Event Analysis category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: DE.AE-06
Title: Incident Declaration
Function: Detect (DE)
Category: Adverse Event Analysis
Framework: NIST CSF 2.0

Information on adverse events is provided to authorized staff and tools for further action.

Information on adverse events is provided to authorized staff and tools for further action. When analysis confirms an event warrants incident response, it is formally declared and escalated through established channels.

Why This Matters

Delayed incident declaration extends attacker dwell time and increases damage. Clear escalation criteria and communication channels ensure incidents are handled promptly by the right teams.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of DE.AE-06.

Define incident severity levels with clear classification criteria
Establish an incident declaration process with designated authority
Create communication templates for incident notification
Maintain a current contact list for incident response team members
Test the incident declaration and escalation process at least annually
Document all incident declarations with timestamps and initial findings

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with DE.AE-06 during an audit.

Incident classification and severity matrix
Incident declaration procedure documentation
Communication templates and notification contact lists
Incident response team roster with contact information
Tabletop exercise or drill records testing declaration procedures

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with DE.AE-06.

No formal incident severity classification exists so all events are treated equally
Incident declaration authority is unclear and events languish without escalation
The incident declaration process has never been tested through exercises

FAQ

What does DE.AE-06 require?

DE.AE-06 (Incident Declaration) requires that information on adverse events is provided to authorized staff and tools for further action. When analysis confirms an event warrants incident response, it is formally declared and escalated through established channels. This control is part of the NIST CSF 2.0 Detect function under the Adverse Event Analysis category.

How do I prove compliance with DE.AE-06?

To demonstrate compliance with DE.AE-06, prepare the following evidence: Incident classification and severity matrix; Incident declaration procedure documentation; Communication templates and notification contact lists. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment