Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.
If you cannot find an answer then contact us or click the chat button on the lower right..
-
Artificial Intelligence (AI)
-
CMMC Fundamentals
-
CMMC Levels & Requirements
-
The 14 Control Families
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- CMMC Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
-
Implementation Roadmaps
-
Industry-Specific Guides
-
CMMC Documentation & Evidence
-
SPRS & Self-Assessment
-
CMMC Costs & Budgeting
-
Technology & Tools
-
CMMC Training & Awareness
-
Policies & Procedures
- How to Submit Your SPRS Score: PIEE Step-by-Step Guide [2026 Update]
- CMMC Policies and Procedures: What Documentation You Need
- How to Write a System Security Plan: The Owner's Guide to the One Document That Gates Everything
- Creating a Plan of Action and Milestones for CMMC
- Documenting Evidence for CMMC Assessment
-
Supply Chain & Third-Party Risk
-
Incident Response & Breach Reporting
-
Common Mistakes & Failures
-
Advanced Topics & Level 2
-
Updates & Regulatory Changes
CMMC Incident Response (IR)
Incident Response contains 3 CMMC Level 2 requirements focused on preparing for and handling security incidents. These controls ensure you can detect, respond to, and recover from cyberattacks or security breaches affecting Controlled Unclassified Information.
Incident Response means having the people, processes, and tools ready to handle security events when they occur—not if they occur, but when.
Every organization will face security incidents. The difference between a minor event and a catastrophic breach often comes down to how quickly and effectively you respond.
Why Incident Response Matters for CMMC
The Department of Defense requires Incident Response because protecting Controlled Unclassified Information (CUI) does not end with preventive controls. When prevention fails, response capability determines the outcome.
CUI stands for Controlled Unclassified Information—sensitive government data requiring protection but not classified as secret.
Beyond CMMC requirements, defense contractors have specific incident reporting obligations under DFARS clause 252.204-7012. You must report cyber incidents affecting covered defense information to the DoD within 72 hours.
DFARS stands for Defense Federal Acquisition Regulation Supplement—contract clauses specific to Department of Defense contracts.
Without an incident response capability, you cannot:
- Detect that an incident occurred
- Contain damage before it spreads
- Meet mandatory reporting timelines
- Recover operations effectively
- Learn from incidents to prevent recurrence
The 3 Incident Response Requirements
IR.L2-3.6.1: Incident Handling
“Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.”
This requirement establishes the core incident response capability. You need documented procedures and trained personnel covering six phases:
Preparation: Get ready before incidents occur
- Develop an incident response plan
- Train the incident response team
- Establish communication channels
- Prepare tools and resources
Detection: Identify that an incident is occurring
- Monitor systems and networks
- Review alerts and logs
- Receive user reports
- Recognize indicators of compromise
Analysis: Understand what is happening
- Determine incident scope and impact
- Identify affected systems
- Assess data at risk
- Classify incident severity
Containment: Stop the incident from spreading
- Isolate affected systems
- Block malicious activity
- Preserve evidence
- Prevent further damage
Recovery: Restore normal operations
- Remove threats from systems
- Restore from clean backups
- Verify system integrity
- Return to production
User Response: Keep people informed and involved
- Notify affected users
- Provide guidance on actions to take
- Report to management and stakeholders
- Communicate with external parties as required
IR.L2-3.6.2: Incident Reporting
“Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.”
When incidents occur, you must report them properly:
Internal Reporting
- Notify management immediately
- Inform IT and security personnel
- Update stakeholders on status
- Document all actions taken
External Reporting
- Report to DoD within 72 hours (for covered defense information)
- Notify prime contractors if you are a subcontractor
- Report to law enforcement if criminal activity is involved
- Comply with any contractual notification requirements
Documentation
- Record incident timeline
- Document systems affected
- Track response actions
- Preserve evidence for investigation
The 72-hour DoD reporting requirement is critical. You must report cyber incidents to the DoD Cyber Crime Center (DC3) through the DIBNet portal. Failure to report can result in contract penalties.
DC3 stands for Department of Defense Cyber Crime Center—the organization that receives cyber incident reports from defense contractors.
IR.L2-3.6.3: Incident Response Testing
“Test the organizational incident response capability.”
Having a plan is not enough—you must test it:
- Conduct tabletop exercises, walking through scenarios
- Perform technical tests of detection and response tools
- Practice communication procedures
- Evaluate response team performance
- Identify gaps and improve procedures
Test at least annually, and after significant changes to systems or personnel.
Tabletop exercise means walking through an incident scenario verbally as a team, discussing what actions each person would take, without actually performing technical response steps.
Building Your Incident Response Capability
Create an Incident Response Plan
Document your incident response procedures, including:
- Roles and responsibilities (who does what)
- Contact information (internal and external)
- Incident classification criteria
- Response procedures for common incident types
- Communication templates
- Evidence preservation procedures
- Recovery procedures
Keep the plan accessible—responders need it during incidents when stress is high.
Establish an Incident Response Team
Designate personnel responsible for incident response:
- Incident Commander: Leads response efforts, makes decisions
- Technical Lead: Directs technical investigation and remediation
- Communications Lead: Handles internal and external notifications
- Documentation Lead: Records actions and maintains evidence
For small businesses, one person may fill multiple roles, but responsibilities must be defined.
Prepare Detection Capabilities
You cannot respond to incidents you do not detect:
- Configure alerting on security tools
- Monitor logs for suspicious activity
- Train users to report anomalies
- Establish baseline normal behavior to recognize abnormal behavior
Prepare Response Tools
Have tools ready before you need them:
- Forensic imaging software
- Malware analysis capabilities
- Network isolation procedures
- Clean backup media
- Communication channels (that work if primary systems are compromised)
Practice Your Response
Conduct regular exercises:
- Annual tabletop exercises at a minimum
- Technical drills testing specific capabilities
- After-action reviews following real incidents
- Update procedures based on lessons learned
DFARS 72-Hour Reporting Requirement
Defense contractors must report cyber incidents to the DoD within 72 hours. This requirement exists separately from CMMC but connects directly to incident response capability.
What Must Be Reported
Cyber incidents that affect:
- Covered defense information
- The contractor’s ability to provide operationally critical support
- Covered contractor information systems
How to Report
Submit reports through the DIBNet portal at https://dibnet.dod.mil. You need a DIBNet account before an incident occurs—do not wait until you need it.
What to Include
Reports must include:
- Company information
- Incident description
- Affected systems and data
- Actions taken
- Malicious software (if applicable)
- Images of affected systems (within 72 hours of request)
Preserve Evidence
You must preserve images of affected systems and relevant monitoring data for 90 days to support a DoD/DoW investigation if requested.
Common Incident Response Mistakes
Mistake 1: No Plan Until Needed
Creating an incident response plan during an incident is too late. Develop and test your plan before incidents occur.
Mistake 2: Untested Procedures
Plans that have never been tested often fail when needed. Test regularly to identify gaps.
Mistake 3: Missing Contact Information
During incidents, you need to reach people quickly. Maintain current contact lists, including after-hours numbers.
Mistake 4: No DIBNet Account
The 72-hour reporting clock starts when you discover an incident. Having no DIBNet account delays reporting and may result in non-compliance.
Mistake 5: Destroying Evidence
Well-meaning IT staff sometimes rebuild systems immediately, destroying forensic evidence. Preserve evidence before remediation.
Key Takeaways
Incident Response contains only 3 requirements, but establishesa critical capability for handling security events. Develop incident handling procedures covering preparation, detection, analysis, containment, recovery, and user response.
Establish reporting procedures to meet the 72-hour DoD notification requirement. Test your incident response capability at least annually through tabletop exercises.
Preparation is everything in incident response. The time to build capability is before you need it.
Related Articles:
- What is CMMC Level 2?
- CMMC Access Control Requirements for Level 2
- NIST SP 800-171 Rev 2 – Incident Response Family
- DFARS 252.204-7012
- DIBNet Cyber Incident Reporting
- 32 CFR Part 170 – CMMC Program Rule
Official Sources: This article is based on NIST SP 800-171 Revision 2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” specifically the Incident Response family (Section 3.6), DFARS clause 252.204-7012, and the DoD CMMC Level 2 Assessment Guide.
Need help building your incident response capability for CMMC compliance? Contact Greypike for expert guidance on Level 1 and Level 2 certification, or get started with Obolix to streamline your compliance journey.