CMMC 2.0 Level 2 Incident Response Plan (IRP)

1 Executive Summary

▼

Purpose & Importance

Compliance Framework: This IRP must be developed based on NIST SP 800-61 Rev. 3 guidance and address all incident response requirements from NIST SP 800-171 required for CMMC 2.0 Level 2 certification (IR.L2-3.6.1 through IR.L2-3.6.3).

Scope

Applicability

2Organization Overview

▼

CUI & Security Assets in Scope

CUI Assets

Security Protection Assets

Network Segmentation

CUI Zone:

Management Zone:

Guest Network:

OT / Other Network:

3Incident Response Team Structure

▼

Fill in the contact and responsibility details for each role. Use the button below to add additional roles as needed.

🔷 Incident Response Manager

Primary:

Backup:

Email:

Phone:

Responsibilities:

🔶 Security Analyst

Primary:

Backup:

Email:

Phone:

Responsibilities:

🔧 IT Operations Lead

Primary:

Backup:

Email:

Phone:

Responsibilities:

📢 Communications Officer

Primary:

Backup:

Email:

Phone:

Responsibilities:

24/7 Contact Protocol: All IR team members must be reachable within minutes during business hours and within hours during off-hours. Describe your escalation procedure and automated alert mechanism here.

4Incident Classification & Prioritization

▼

Define the incident categories and response time targets for your organization. Edit each priority tier with the specific incident types relevant to your case study.

🔴 CRITICAL — Priority 1

Response Time: Reporting:

🟠 HIGH — Priority 2

Response Time: Reporting:

🟡 MEDIUM — Priority 3

Response Time: Reporting:

🟢 LOW — Priority 4

Response Time: Reporting:

5Incident Response Lifecycle

▼

Describe your organization's activities in each phase of the NIST SP 800-61 incident response lifecycle. Click ✏️ Edit Mode to edit phase descriptions.

1

Preparation

2

Detection & Analysis

3

Containment

4

Eradication

5

Recovery

6

Lessons Learned

CMMC Integration: Each phase must maintain CUI protection and include documentation for CMMC assessments. All incident activities must be logged with timestamps, and evidence must be preserved following proper chain-of-custody procedures for potential DoD review.

6Detection and Analysis Procedures

▼

Detection Sources

Analysis Procedures

Evidence Handling

CUI Handling Rule: Any incident involving CUI assets automatically escalates to Priority 1 or 2 and requires immediate CISO notification within minutes, followed by DIBNet reporting within 72 hours.

7Containment and Eradication Strategies

▼

Containment Strategies

Short-term Containment

Long-term Containment

Eradication Procedures

Recovery Procedures

Post-Incident Activities

8Evidence Preservation & Forensics

▼

Forensic Collection Priorities

Chain of Custody Procedures

Forensic Tools & Resources

Legal Considerations: Do not perform forensic analysis on systems without proper authorization. Consult with legal counsel before engaging law enforcement. Ensure all forensic activities comply with CMMC evidence retention requirements and applicable laws.

9Communication and Reporting Protocols

▼

🚨 CRITICAL REQUIREMENT: All incidents involving CUI must be reported to DoD via DIBNet (https://dibnet.dod.mil) within 72 hours. Ensure a DoD-approved medium assurance certificate is available for reporting. Failure to report may result in contract termination.

Internal Communication

External Reporting Requirements

Emergency Contact Directory

DIBNet Portal:

DoD Cyber Crime Center (DC3):

FBI Cyber Division:

CISA:

Cyber Insurance Carrier:

Legal Counsel:

External Forensics Vendor:

10Training and Exercise Programs

▼

Training Requirements

Exercise Schedule

CMMC Requirement (IR.L2-3.6.3): Regular testing of incident response capabilities through tabletop exercises is mandatory for CMMC Level 2 compliance. All exercises must be documented and records maintained for at least 3 years for potential assessment review.

Tabletop Exercise Scenarios

Use the 🎯 Tabletop Exercise button in the toolbar to launch the interactive scenario panel. Scenarios added there will appear below when saved.

No tabletop scenarios recorded yet — use the Tabletop Exercise button to add scenarios.

🛡️ Incident Response Plan (IRP)

1 Executive Summary

Purpose & Importance

Scope

Applicability

2Organization Overview

Company Information

CUI & Security Assets in Scope

CUI Assets

Security Protection Assets

Network Segmentation

3Incident Response Team Structure

🔷 Incident Response Manager

🔶 Security Analyst

🔧 IT Operations Lead

📢 Communications Officer

4Incident Classification & Prioritization

🔴 CRITICAL — Priority 1

🟠 HIGH — Priority 2

🟡 MEDIUM — Priority 3

🟢 LOW — Priority 4

5Incident Response Lifecycle

Preparation

Detection & Analysis

Containment

Eradication

Recovery

Lessons Learned

6Detection and Analysis Procedures

Detection Sources

Analysis Procedures

Evidence Handling

7Containment and Eradication Strategies

Containment Strategies

Short-term Containment

Long-term Containment

Eradication Procedures

Recovery Procedures

Post-Incident Activities

8Evidence Preservation & Forensics

Forensic Collection Priorities

Chain of Custody Procedures

Forensic Tools & Resources

9Communication and Reporting Protocols

Internal Communication

External Reporting Requirements

Emergency Contact Directory

10Training and Exercise Programs

Training Requirements

Exercise Schedule

Tabletop Exercise Scenarios

🎯 Tabletop Exercise Scenarios

Scenario 1: CUI Data Breach via Email

Scenario 2: Ransomware Attack on CUI Systems

Scenario 3: Insider Threat — Terminated Employee

Add New Scenario

⚠️ Reset All Data?