Skip to main content
Greypike's CMMC Knowledge Base

Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.

If you cannot find an answer then contact us or click the chat button on the lower right..

< All Topics
Print

CMMC Incident Response (IR)

Incident Response contains 3 CMMC Level 2 requirements focused on preparing for and handling security incidents. These controls ensure you can detect, respond to, and recover from cyberattacks or security breaches affecting Controlled Unclassified Information.

Incident Response means having the people, processes, and tools ready to handle security events when they occur—not if they occur, but when.

Every organization will face security incidents. The difference between a minor event and a catastrophic breach often comes down to how quickly and effectively you respond.

Why Incident Response Matters for CMMC

The Department of Defense requires Incident Response because protecting Controlled Unclassified Information (CUI) does not end with preventive controls. When prevention fails, response capability determines the outcome.

CUI stands for Controlled Unclassified Information—sensitive government data requiring protection but not classified as secret.

Beyond CMMC requirements, defense contractors have specific incident reporting obligations under DFARS clause 252.204-7012. You must report cyber incidents affecting covered defense information to the DoD within 72 hours.

DFARS stands for Defense Federal Acquisition Regulation Supplement—contract clauses specific to Department of Defense contracts.

Without an incident response capability, you cannot:

  • Detect that an incident occurred
  • Contain damage before it spreads
  • Meet mandatory reporting timelines
  • Recover operations effectively
  • Learn from incidents to prevent recurrence

The 3 Incident Response Requirements

IR.L2-3.6.1: Incident Handling

“Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.”

This requirement establishes the core incident response capability. You need documented procedures and trained personnel covering six phases:

Preparation: Get ready before incidents occur

  • Develop an incident response plan
  • Train the incident response team
  • Establish communication channels
  • Prepare tools and resources

Detection: Identify that an incident is occurring

  • Monitor systems and networks
  • Review alerts and logs
  • Receive user reports
  • Recognize indicators of compromise

Analysis: Understand what is happening

  • Determine incident scope and impact
  • Identify affected systems
  • Assess data at risk
  • Classify incident severity

Containment: Stop the incident from spreading

  • Isolate affected systems
  • Block malicious activity
  • Preserve evidence
  • Prevent further damage

Recovery: Restore normal operations

  • Remove threats from systems
  • Restore from clean backups
  • Verify system integrity
  • Return to production

User Response: Keep people informed and involved

  • Notify affected users
  • Provide guidance on actions to take
  • Report to management and stakeholders
  • Communicate with external parties as required

IR.L2-3.6.2: Incident Reporting

“Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.”

When incidents occur, you must report them properly:

Internal Reporting

  • Notify management immediately
  • Inform IT and security personnel
  • Update stakeholders on status
  • Document all actions taken

External Reporting

  • Report to DoD within 72 hours (for covered defense information)
  • Notify prime contractors if you are a subcontractor
  • Report to law enforcement if criminal activity is involved
  • Comply with any contractual notification requirements

Documentation

  • Record incident timeline
  • Document systems affected
  • Track response actions
  • Preserve evidence for investigation

The 72-hour DoD reporting requirement is critical. You must report cyber incidents to the DoD Cyber Crime Center (DC3) through the DIBNet portal. Failure to report can result in contract penalties.

DC3 stands for Department of Defense Cyber Crime Center—the organization that receives cyber incident reports from defense contractors.

IR.L2-3.6.3: Incident Response Testing

“Test the organizational incident response capability.”

Having a plan is not enough—you must test it:

  • Conduct tabletop exercises, walking through scenarios
  • Perform technical tests of detection and response tools
  • Practice communication procedures
  • Evaluate response team performance
  • Identify gaps and improve procedures

Test at least annually, and after significant changes to systems or personnel.

Tabletop exercise means walking through an incident scenario verbally as a team, discussing what actions each person would take, without actually performing technical response steps.

Building Your Incident Response Capability

Create an Incident Response Plan

Document your incident response procedures, including:

  • Roles and responsibilities (who does what)
  • Contact information (internal and external)
  • Incident classification criteria
  • Response procedures for common incident types
  • Communication templates
  • Evidence preservation procedures
  • Recovery procedures

Keep the plan accessible—responders need it during incidents when stress is high.

Establish an Incident Response Team

Designate personnel responsible for incident response:

  • Incident Commander: Leads response efforts, makes decisions
  • Technical Lead: Directs technical investigation and remediation
  • Communications Lead: Handles internal and external notifications
  • Documentation Lead: Records actions and maintains evidence

For small businesses, one person may fill multiple roles, but responsibilities must be defined.

Prepare Detection Capabilities

You cannot respond to incidents you do not detect:

  • Configure alerting on security tools
  • Monitor logs for suspicious activity
  • Train users to report anomalies
  • Establish baseline normal behavior to recognize abnormal behavior

Prepare Response Tools

Have tools ready before you need them:

  • Forensic imaging software
  • Malware analysis capabilities
  • Network isolation procedures
  • Clean backup media
  • Communication channels (that work if primary systems are compromised)

Practice Your Response

Conduct regular exercises:

  • Annual tabletop exercises at a minimum
  • Technical drills testing specific capabilities
  • After-action reviews following real incidents
  • Update procedures based on lessons learned

DFARS 72-Hour Reporting Requirement

Defense contractors must report cyber incidents to the DoD within 72 hours. This requirement exists separately from CMMC but connects directly to incident response capability.

What Must Be Reported

Cyber incidents that affect:

  • Covered defense information
  • The contractor’s ability to provide operationally critical support
  • Covered contractor information systems

How to Report

Submit reports through the DIBNet portal at https://dibnet.dod.mil. You need a DIBNet account before an incident occurs—do not wait until you need it.

What to Include

Reports must include:

  • Company information
  • Incident description
  • Affected systems and data
  • Actions taken
  • Malicious software (if applicable)
  • Images of affected systems (within 72 hours of request)

Preserve Evidence

You must preserve images of affected systems and relevant monitoring data for 90 days to support a DoD/DoW investigation if requested.

Common Incident Response Mistakes

Mistake 1: No Plan Until Needed

Creating an incident response plan during an incident is too late. Develop and test your plan before incidents occur.

Mistake 2: Untested Procedures

Plans that have never been tested often fail when needed. Test regularly to identify gaps.

Mistake 3: Missing Contact Information

During incidents, you need to reach people quickly. Maintain current contact lists, including after-hours numbers.

Mistake 4: No DIBNet Account

The 72-hour reporting clock starts when you discover an incident. Having no DIBNet account delays reporting and may result in non-compliance.

Mistake 5: Destroying Evidence

Well-meaning IT staff sometimes rebuild systems immediately, destroying forensic evidence. Preserve evidence before remediation.

Key Takeaways

Incident Response contains only 3 requirements, but establishesa critical capability for handling security events. Develop incident handling procedures covering preparation, detection, analysis, containment, recovery, and user response.

Establish reporting procedures to meet the 72-hour DoD notification requirement. Test your incident response capability at least annually through tabletop exercises.

Preparation is everything in incident response. The time to build capability is before you need it.


Related Articles:

Official Sources: This article is based on NIST SP 800-171 Revision 2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” specifically the Incident Response family (Section 3.6), DFARS clause 252.204-7012, and the DoD CMMC Level 2 Assessment Guide.


Need help building your incident response capability for CMMC compliance? Contact Greypike for expert guidance on Level 1 and Level 2 certification, or get started with Obolix to streamline your compliance journey.

Table of Contents