This objective requires your organization to clearly define and categorize which types of security incidents must be reported, especially those that could impact the confidentiality, integrity, or availability of Controlled Unclassified Information (CUI).