What is considered an Incident with CUI in NIST 800-171?

So I get having a classified data spill and being able to handle that incident to make sure the data did not get further down the line then you thought but with this bullet:

Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

Are we handling an incident as if someone sent over CUI unencrypted? Huge grey area!

1 Like

Curious about this as well. I get handling incidents internally but who defines what that incident is or what it could be? Containment of malware or downloading something they shouldnt?

Or are we talking about a classified data spill? Or is this referring to every time CUI is not placed on “CUI Certified” system? Not really sure. Would be great to get some clarification.