Skip to main content
Greypike's CMMC Knowledge Base

Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.

If you cannot find an answer then contact us or click the chat button on the lower right..

< All Topics
Print

CMMC Incident Response Requirements: The Three IR Controls Explained

When a security incident strikes, your CMMC incident response determines whether it becomes a minor disruption or a catastrophic breach. CMMC recognizes this by requiring defense contractors to establish, maintain, and test incident response capabilities. The Incident Response control family may be small—just three requirements—but its importance to protecting Controlled Unclassified Information cannot be overstated.

CMMC stands for Cybersecurity Maturity Model Certification—the DoD’s mandatory cybersecurity program for defense contractors.

CUI stands for Controlled Unclassified Information—sensitive government data requiring protection but not classified as secret.

This guide explains each Incident Response requirement and how to implement them effectively.

The Three Incident Response Requirements

CMMC Level 2 includes three requirements in the Incident Response (IR) control family:

IR.L2-3.6.1: Incident Handling

“Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.”

This requirement ensures you have a complete incident response program covering the full incident lifecycle:

  • Preparation – Planning, training, and readiness activities before incidents occur
  • Detection – Identifying that a security incident has occurred
  • Analysis – Understanding the nature, scope, and impact of the incident
  • Containment – Stopping the incident from spreading or causing additional damage
  • Recovery – Restoring systems and operations to normal
  • User Response – Communicating with and supporting affected users

You cannot simply react when incidents happen. You need established capabilities ready to execute.

IR.L2-3.6.2: Incident Reporting

“Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.”

This requirement ensures incidents are properly documented and reported:

  • Tracking – Maintaining records of all incidents
  • Documentation – Recording incident details, response actions, and outcomes
  • Internal Reporting – Notifying appropriate personnel within your organization
  • External Reporting – Reporting to outside parties as required (including DoD)

For defense contractors, external reporting includes the critical 72-hour notification to the DoD Cyber Crime Center (DC3) when CUI is potentially compromised.

IR.L2-3.6.3: Incident Response Testing

“Test the organizational incident response capability.”

This requirement ensures your incident response actually works:

  • Regular testing of response procedures
  • Verification that personnel know their roles
  • Identification of gaps before real incidents occur
  • Continuous improvement based on test results

Untested incident response plans often fail when needed most. Testing validates your capabilities.

Implementing Incident Handling (IR.L2-3.6.1)

Building operational incident-handling capability requires several components:

Incident Response Plan

Document your approach to handling incidents:

  • Incident definitions and classification criteria
  • Roles and responsibilities
  • Communication procedures
  • Response procedures for different incident types
  • Escalation paths
  • External notification requirements

Incident Response Team

Designate personnel responsible for response:

  • Primary incident responders
  • Technical support personnel
  • Management contacts
  • Legal and communications support
  • External resources (if applicable)

For small organizations, the “team” may be one or two people with defined responsibilities rather than a dedicated group.

Detection Capabilities

Implement tools and processes to identify incidents:

  • Security monitoring and alerting
  • Log analysis
  • User reporting mechanisms
  • Automated threat detection

You cannot respond to incidents you do not detect. Detection capabilities are foundational.

Response Procedures

Develop procedures for common incident types:

  • Malware infections
  • Unauthorized access attempts
  • Data breaches or potential CUI exposure
  • Phishing compromises
  • Ransomware attacks
  • Lost or stolen devices

Procedures should be specific enough to guide action but flexible enough for varying circumstances.

Recovery Capabilities

Ensure you can restore operations:

  • Backup and restoration procedures
  • System rebuild capabilities
  • Data recovery processes
  • Business continuity plans

Recovery completes the incident lifecycle and restores normal operations.

Implementing Incident Reporting (IR.L2-3.6.2)

Proper incident reporting requires defined processes:

Internal Reporting Structure

Define who needs to know about incidents:

  • IT and security personnel (immediate)
  • Management (based on severity)
  • Legal counsel (for significant incidents)
  • Affected business units

Establish severity levels that trigger different reporting requirements.

Incident Documentation

Record essential information for every incident:

  • Date and time of detection
  • How the incident was discovered
  • Description of the incident
  • Systems and data affected
  • Response actions taken
  • Personnel involved in response
  • Timeline of events
  • Root cause (when determined)
  • Lessons learned

External Reporting Requirements

For defense contractors, external reporting includes:

  • DoD DC3 Notification – Within 72 hours for incidents potentially affecting CUI
  • Law Enforcement – For criminal activity
  • Prime Contractors – Per contractual requirements
  • Regulatory Bodies – If other regulations apply

The 72-hour DoD notification is particularly critical and has specific requirements covered in a separate article.

Incident Tracking System

Maintain records of all incidents:

  • Incident log or database
  • Status tracking through resolution
  • Trend analysis over time
  • Evidence preservation

Implementing Incident Response Testing (IR.L2-3.6.3)

Testing validates your incident response capabilities:

Tabletop Exercises

Walk through scenarios verbally without technical execution:

  • Present a hypothetical incident scenario
  • Discuss how the team would respond
  • Identify gaps in procedures or knowledge
  • Low cost and easy to conduct
  • Recommended frequency: At least annually

Example scenario: “It’s Monday morning. Your SIEM alerts show unusual data transfers from a server containing CUI over the weekend. The transfers went to an external IP address. Walk me through your response.”

Functional Exercises

Test specific capabilities in isolation:

  • Backup restoration testing
  • Communication tree verification
  • Tool and technology testing
  • Individual procedure validation

Full-Scale Exercises

Simulate actual incidents with technical response:

  • More resource-intensive
  • Tests end-to-end capabilities
  • Reveals integration issues
  • Appropriate for mature programs

Testing Documentation

Document all testing activities:

  • Exercise date and participants
  • Scenario or capabilities tested
  • Observations and findings
  • Identified improvements
  • Follow-up actions

Common Incident Types for Defense Contractors

Prepare response procedures for likely incidents:

Malware and Ransomware

  • Detection through endpoint protection or user reports
  • Isolation of affected systems
  • Malware analysis and removal
  • System restoration from clean backups
  • Root cause investigation

Phishing Compromises

  • Credential reset for affected accounts
  • Review of account activity
  • Assessment of data access
  • Additional monitoring
  • User notification and training

Unauthorized Access

  • Access termination
  • Forensic investigation
  • Scope determination
  • Notification if CUI accessed
  • Control improvements

Lost or Stolen Devices

  • Remote wipe capability
  • Access revocation
  • Assessment of data exposure
  • Notification if CUI is involved
  • Device encryption verification

Data Breaches

  • Containment of data exposure
  • Scope and impact assessment
  • 72-hour DoD notification if CUI is involved
  • Evidence preservation
  • Remediation and prevention

Incident Response for Small Organizations

Small defense contractors can implement effective incident response without dedicated security teams:

Simplified Approach

  • Document basic procedures in a concise plan
  • Designate primary and backup responders
  • Focus on the most likely incident types
  • Leverage external resources when needed

External Resources

  • Managed security service providers
  • Incident response retainer services
  • Cyber insurance response services
  • Industry sharing organizations

Essential Capabilities

Even small organizations need:

  • Written incident response plan
  • Designated response personnel
  • Contact information for reporting
  • Basic detection capabilities
  • Tested backup and recovery

Documenting for Assessment

CMMC assessors will verify your incident response program:

Required Documentation

  • Incident response plan
  • Roles and responsibilities
  • Contact lists and escalation procedures
  • Incident reporting procedures
  • Testing records and results

Evidence to Maintain

  • Incident logs (even if no major incidents)
  • Test exercise documentation
  • Training records for response personnel
  • Communication of procedures to staff

If You Have Had Incidents

Be prepared to discuss:

  • How incidents were detected
  • Response actions taken
  • Reporting completed
  • Lessons learned and improvements

Having incidents is not necessarily negative—demonstrating an effective response is positive evidence.

Key Takeaways

CMMC requires operational incident response capabilities covering preparation, detection, analysis, containment, recovery, and user response. You must track and report incidents internally and externally, including the critical 72-hour DoD notification for CUI incidents.

Test your incident response at least annually through tabletop exercises or functional testing. Document your program, testing, and any actual incidents thoroughly.

Even small organizations need incident response capabilities. Start with basic procedures and designated personnel, then build capabilities over time.

Related Articles:

Official Sources: This article is based on NIST SP 800-171 Revision 2 Incident Response requirements (Section 3.6), NIST SP 800-61 Rev 2 (Computer Security Incident Handling Guide), and 32 CFR Part 170.

Is your incident response program ready for CMMC assessment? Contact Greypike for expert help building and testing your incident response capabilities. For Level 1 certification, Obolix provides everything you need to get compliant in a week or less—including incident response documentation templates.

Table of Contents