Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.
If you cannot find an answer then contact us or click the chat button on the lower right..
-
Artificial Intelligence (AI)
-
CMMC Fundamentals
-
CMMC Levels & Requirements
-
The 14 Control Families
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- CMMC Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
-
Implementation Roadmaps
-
Industry-Specific Guides
-
CMMC Documentation & Evidence
-
SPRS & Self-Assessment
-
CMMC Costs & Budgeting
-
Technology & Tools
-
CMMC Training & Awareness
-
Policies & Procedures
- How to Submit Your SPRS Score: PIEE Step-by-Step Guide [2026 Update]
- CMMC Policies and Procedures: What Documentation You Need
- How to Write a System Security Plan: The Owner's Guide to the One Document That Gates Everything
- Creating a Plan of Action and Milestones for CMMC
- Documenting Evidence for CMMC Assessment
-
Supply Chain & Third-Party Risk
-
Incident Response & Breach Reporting
-
Common Mistakes & Failures
-
Advanced Topics & Level 2
-
Updates & Regulatory Changes
CMMC Incident Response Requirements: The Three IR Controls Explained
When a security incident strikes, your CMMC incident response determines whether it becomes a minor disruption or a catastrophic breach. CMMC recognizes this by requiring defense contractors to establish, maintain, and test incident response capabilities. The Incident Response control family may be small—just three requirements—but its importance to protecting Controlled Unclassified Information cannot be overstated.
CMMC stands for Cybersecurity Maturity Model Certification—the DoD’s mandatory cybersecurity program for defense contractors.
CUI stands for Controlled Unclassified Information—sensitive government data requiring protection but not classified as secret.
This guide explains each Incident Response requirement and how to implement them effectively.
The Three Incident Response Requirements
CMMC Level 2 includes three requirements in the Incident Response (IR) control family:
IR.L2-3.6.1: Incident Handling
“Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.”
This requirement ensures you have a complete incident response program covering the full incident lifecycle:
- Preparation – Planning, training, and readiness activities before incidents occur
- Detection – Identifying that a security incident has occurred
- Analysis – Understanding the nature, scope, and impact of the incident
- Containment – Stopping the incident from spreading or causing additional damage
- Recovery – Restoring systems and operations to normal
- User Response – Communicating with and supporting affected users
You cannot simply react when incidents happen. You need established capabilities ready to execute.
IR.L2-3.6.2: Incident Reporting
“Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.”
This requirement ensures incidents are properly documented and reported:
- Tracking – Maintaining records of all incidents
- Documentation – Recording incident details, response actions, and outcomes
- Internal Reporting – Notifying appropriate personnel within your organization
- External Reporting – Reporting to outside parties as required (including DoD)
For defense contractors, external reporting includes the critical 72-hour notification to the DoD Cyber Crime Center (DC3) when CUI is potentially compromised.
IR.L2-3.6.3: Incident Response Testing
“Test the organizational incident response capability.”
This requirement ensures your incident response actually works:
- Regular testing of response procedures
- Verification that personnel know their roles
- Identification of gaps before real incidents occur
- Continuous improvement based on test results
Untested incident response plans often fail when needed most. Testing validates your capabilities.
Implementing Incident Handling (IR.L2-3.6.1)
Building operational incident-handling capability requires several components:
Incident Response Plan
Document your approach to handling incidents:
- Incident definitions and classification criteria
- Roles and responsibilities
- Communication procedures
- Response procedures for different incident types
- Escalation paths
- External notification requirements
Incident Response Team
Designate personnel responsible for response:
- Primary incident responders
- Technical support personnel
- Management contacts
- Legal and communications support
- External resources (if applicable)
For small organizations, the “team” may be one or two people with defined responsibilities rather than a dedicated group.
Detection Capabilities
Implement tools and processes to identify incidents:
- Security monitoring and alerting
- Log analysis
- User reporting mechanisms
- Automated threat detection
You cannot respond to incidents you do not detect. Detection capabilities are foundational.
Response Procedures
Develop procedures for common incident types:
- Malware infections
- Unauthorized access attempts
- Data breaches or potential CUI exposure
- Phishing compromises
- Ransomware attacks
- Lost or stolen devices
Procedures should be specific enough to guide action but flexible enough for varying circumstances.
Recovery Capabilities
Ensure you can restore operations:
- Backup and restoration procedures
- System rebuild capabilities
- Data recovery processes
- Business continuity plans
Recovery completes the incident lifecycle and restores normal operations.
Implementing Incident Reporting (IR.L2-3.6.2)
Proper incident reporting requires defined processes:
Internal Reporting Structure
Define who needs to know about incidents:
- IT and security personnel (immediate)
- Management (based on severity)
- Legal counsel (for significant incidents)
- Affected business units
Establish severity levels that trigger different reporting requirements.
Incident Documentation
Record essential information for every incident:
- Date and time of detection
- How the incident was discovered
- Description of the incident
- Systems and data affected
- Response actions taken
- Personnel involved in response
- Timeline of events
- Root cause (when determined)
- Lessons learned
External Reporting Requirements
For defense contractors, external reporting includes:
- DoD DC3 Notification – Within 72 hours for incidents potentially affecting CUI
- Law Enforcement – For criminal activity
- Prime Contractors – Per contractual requirements
- Regulatory Bodies – If other regulations apply
The 72-hour DoD notification is particularly critical and has specific requirements covered in a separate article.
Incident Tracking System
Maintain records of all incidents:
- Incident log or database
- Status tracking through resolution
- Trend analysis over time
- Evidence preservation
Implementing Incident Response Testing (IR.L2-3.6.3)
Testing validates your incident response capabilities:
Tabletop Exercises
Walk through scenarios verbally without technical execution:
- Present a hypothetical incident scenario
- Discuss how the team would respond
- Identify gaps in procedures or knowledge
- Low cost and easy to conduct
- Recommended frequency: At least annually
Example scenario: “It’s Monday morning. Your SIEM alerts show unusual data transfers from a server containing CUI over the weekend. The transfers went to an external IP address. Walk me through your response.”
Functional Exercises
Test specific capabilities in isolation:
- Backup restoration testing
- Communication tree verification
- Tool and technology testing
- Individual procedure validation
Full-Scale Exercises
Simulate actual incidents with technical response:
- More resource-intensive
- Tests end-to-end capabilities
- Reveals integration issues
- Appropriate for mature programs
Testing Documentation
Document all testing activities:
- Exercise date and participants
- Scenario or capabilities tested
- Observations and findings
- Identified improvements
- Follow-up actions
Common Incident Types for Defense Contractors
Prepare response procedures for likely incidents:
Malware and Ransomware
- Detection through endpoint protection or user reports
- Isolation of affected systems
- Malware analysis and removal
- System restoration from clean backups
- Root cause investigation
Phishing Compromises
- Credential reset for affected accounts
- Review of account activity
- Assessment of data access
- Additional monitoring
- User notification and training
Unauthorized Access
- Access termination
- Forensic investigation
- Scope determination
- Notification if CUI accessed
- Control improvements
Lost or Stolen Devices
- Remote wipe capability
- Access revocation
- Assessment of data exposure
- Notification if CUI is involved
- Device encryption verification
Data Breaches
- Containment of data exposure
- Scope and impact assessment
- 72-hour DoD notification if CUI is involved
- Evidence preservation
- Remediation and prevention
Incident Response for Small Organizations
Small defense contractors can implement effective incident response without dedicated security teams:
Simplified Approach
- Document basic procedures in a concise plan
- Designate primary and backup responders
- Focus on the most likely incident types
- Leverage external resources when needed
External Resources
- Managed security service providers
- Incident response retainer services
- Cyber insurance response services
- Industry sharing organizations
Essential Capabilities
Even small organizations need:
- Written incident response plan
- Designated response personnel
- Contact information for reporting
- Basic detection capabilities
- Tested backup and recovery
Documenting for Assessment
CMMC assessors will verify your incident response program:
Required Documentation
- Incident response plan
- Roles and responsibilities
- Contact lists and escalation procedures
- Incident reporting procedures
- Testing records and results
Evidence to Maintain
- Incident logs (even if no major incidents)
- Test exercise documentation
- Training records for response personnel
- Communication of procedures to staff
If You Have Had Incidents
Be prepared to discuss:
- How incidents were detected
- Response actions taken
- Reporting completed
- Lessons learned and improvements
Having incidents is not necessarily negative—demonstrating an effective response is positive evidence.
Key Takeaways
CMMC requires operational incident response capabilities covering preparation, detection, analysis, containment, recovery, and user response. You must track and report incidents internally and externally, including the critical 72-hour DoD notification for CUI incidents.
Test your incident response at least annually through tabletop exercises or functional testing. Document your program, testing, and any actual incidents thoroughly.
Even small organizations need incident response capabilities. Start with basic procedures and designated personnel, then build capabilities over time.
Related Articles:
- 72-Hour DoD Breach Notification Requirements
- Building an Incident Response Plan for CMMC
- CMMC Audit and Accountability Requirements
- EDR Solutions for CMMC Compliance
- NIST SP 800-171 Rev 2 – Incident Response
- NIST SP 800-61 Rev 2 – Computer Security Incident Handling Guide
- 32 CFR Part 170 – CMMC Program Rule
Official Sources: This article is based on NIST SP 800-171 Revision 2 Incident Response requirements (Section 3.6), NIST SP 800-61 Rev 2 (Computer Security Incident Handling Guide), and 32 CFR Part 170.
Is your incident response program ready for CMMC assessment? Contact Greypike for expert help building and testing your incident response capabilities. For Level 1 certification, Obolix provides everything you need to get compliant in a week or less—including incident response documentation templates.