Update index.md

[scheidelg]

• Minor editing fix from ', but itself,' to ', by itself'
• Added bullets to the Cyber Incident Reporting list to include follow-up and after-incident reporting.
• In the last full paragraph in section 2, edited the sentence restricting reporting to incidents affecting CUI, hopefully for better clarity.
• In section 3's first paragraph, changed 'should' to 'may' to reflect that not all independent assessments will be applicable to the NIST process for obtaining ATO. Also seems more consistent with the existing language "Agencies may accept independent thirdparty
  verification of security assessment results."
• In section 3's reference to ensuring agencies are granted access to information systems, it seems that this should be the responsibility of both the agency and the contractor.
• The last paragraph of section 3 seemed to be applicable specifically to contractor internal systems.