Incident Response (IR) Guide for CMMC Level 2.0 Compliance

Welcome to our Incident Response (IR) guide for CMMC Level 2.0 Compliance. This guide is designed for smaller companies and DoD contractors. We will walk you through the essential steps for effectively managing cybersecurity incidents, providing clear instructions and actionable insights to ensure your organization’s preparedness.

Our mission is to simplify the path to CMMC certification while emphasizing the critical role of incident response in safeguarding your data, operations, and compliance status. By following our guidance, your business will not only align with CMMC Level 2.0 standards but also strengthen its cybersecurity posture against potential threats.

Should you need further assistance, we offer personalized consultations to help your organization navigate the complexities of CMMC compliance efficiently and in a way that fits your unique needs.

IR.L2-3.6.1 – INCIDENT HANDLING

“Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.”

Level Of Effort: Medium

For CMMC Level 2 compliance, it's important to have a plan for dealing with cybersecurity incidents. This means creating a process for preparing, detecting, analyzing, recovering, and responding to incidents. 

Recommendations:

• Make an Incident Response Policy: You can find free templates online and change it to fit your company. You can start with this Free Incident Response Policy Template.
• Keep track of incidents: Make a sheet where you write down every incident that happens. Include details like when it happened and if you told anyone outside your company.
• Train your team for their roles: Different people need to know different things. Regular workers might need to learn how to spot and tell someone about an incident. People who work on solving these issues need more training on things like understanding how the problem happened and fixing it.

What our clients say

---

IR.L2-3.6.2 – INCIDENT REPORTING

“Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.”

Level Of Effort: Medium

This rule makes companies track and report security incidents. They must inform specific people inside and outside their company. 

Remember, it's important to report any security issues to the Department of Defense (DoD) within 72 hours

Recommendations:

• Get a DoD certificate to report incidents: You need a DoD-approved medium assurance certificate. You can get it here at External Certification Authorities (ECA) – DoD Cyber Exchange.
• Keep a record of security incidents: Make a sheet and folder to write down any security issues. Especially ones that affect CDI, CUI, CTI, and export-controlled information. Report these incidents through a program called DIBNet. Check it out at Defense Industrial Base Cybersecurity Information Sharing Program (dod.mil).
• Update your security plan for a quick response: Make sure your Security System Plan (SSP) says you'll report security incidents within 72 hours.

Evidence:

• Your special certificate: Keep a copy of your DoD-approved certificate.
• Your record of incidents: Have a place where you write down all security incidents.
• Your updated security plan: Ensure it includes the requirement to report incidents within 72 hours.

---

IR.L2-3.6.3 – INCIDENT RESPONSE TESTING

“Test the organizational incident response capability.”

Level Of Effort: Medium

To meet CMMC Level 2 standards, it's important to check how well your plans for handling security incidents work. This means doing tests to see if your incident response capabilities are strong enough and to identify weak spots.

Recommendations:

• Run tests on how you handle incidents: Pick a possible security problem, like a fake phishing attack, and use it for a practice run with your team. This kind of test is called a tabletop exercise, where you and your team pretend a security issue has happened and work through how you’d respond. It’s a great way to spot any problems in your plans.
• Consider getting help from experts: There are Virtual CISO and cybersecurity companies (including cool new startups like ChaosTrack) that can help you with these exercises. They usually charge between $1,000 to $10,000.
• Use ready-made scenarios: The Cybersecurity and Infrastructure Security Agency (CISA) has some example scenarios you can use for free. Check them out here: Cybersecurity Scenarios | CISA.

Evidence:

• Records from your practice run: Keep reports, findings, or summaries from your tabletop exercises or any other tests you do on how you’d handle a security incident.

---

Need Help With Other CMMC Controls? 

• Access Control (AC) Guide
• Awareness and Training (AT) Guide
• Audit and Accountability (AU) Guide
• Configuration Management (CM) Guide
• Identification and Authentication (IA) Guide
• Maintenance (MA) Guide
• Media Protection (MP) Guide
• Personnel Security (PS) Guide
• Physical Protection (PE) Guide
• Risk Assessment (RA) Guide
• Security Assessment (CA) Guide
• System and Communications Protection (SC) Guide
• System and Information Integrity (SI) Guide