1. Executive Summary

Purpose & Importance

This Incident Response Plan (IRP) ensures ACME Technology Services Corporation can effectively respond to cybersecurity incidents while maintaining Controlled Unclassified Information (CUI) protection and meeting CMMC 2.0 Level 2 reporting requirements. The plan addresses various incident types including malware infections, data breaches, insider threats, and supply chain attacks, integrating with existing business continuity plans.

Compliance Framework: This IRP is developed based on NIST SP 800-61 Rev. 3 guidance and meets all 110 requirements from NIST SP 800-171 required for CMMC 2.0 Level 2 certification.

Scope

This plan covers all ACME Technology Services Corporation systems, including 38 laptops, 2 physical servers, 8 networked printers, cloud backups via Microsoft Azure and AWS, and all CUI assets within our segmented network environment in El Paso, Texas.

2. Organization Overview

Company Information

Company: ACME Technology Services Corporation

Location: El Paso, Texas

Employees: 64

Business: Defense contractor providing uniform and textile logistics services to U.S. Army

CISO: Raymond Lawrence

Review Date: June 15, 2025

CUI Assets

  • Primary Data Server (CUI-001)
  • Azure Cloud Backup (CUI-002)
  • Contract Coordinator Workstations (CUI-003 to CUI-005)
  • CISO Management Workstation (CUI-006)
  • Secure File Server (CUI-007)

Security Assets

  • Enterprise Firewall (SPA-001)
  • VPN Gateway (SPA-002)
  • Endpoint Protection (SPA-004)
  • SIEM System (SPA-005)
  • Badge Access Control (SPA-006)

Network Segmentation

CUI Zone: Secure access to servers, cloud backups, and contract management

Management Zone: Admin and IT operations

Guest Network: Isolated from internal systems

OT Network: Dedicated to building control systems

3. Incident Response Team Structure

Incident Response Manager

Primary: Raymond Lawrence (CISO)

Contact: rlawrence@acmetech.mil

Phone: (915) 555-0101

Responsibilities: Overall incident management, coordination with external agencies, executive reporting

Security Analyst

Primary: [To be assigned]

Responsibilities: Initial incident detection, analysis, containment recommendations, forensic evidence collection

IT Operations Lead

Primary: [To be assigned]

Responsibilities: System isolation, backup restoration, infrastructure recovery, network segmentation enforcement

Communications Officer

Primary: [To be assigned]

Responsibilities: Internal notifications, external reporting to DoD via DIBNet, stakeholder updates

24/7 Contact Protocol: All team members must be reachable within 30 minutes during business hours and within 2 hours during off-hours. Escalation procedures include automated alerts via SIEM system and emergency contact trees.

4. Incident Classification & Prioritization

🔴 CRITICAL (Priority 1)

  • CUI data breach or exfiltration
  • Ransomware affecting CUI systems
  • Supply chain compromise
  • Advanced Persistent Threat (APT)

Response Time: Immediate (within 30 minutes)

Reporting: DIBNet within 72 hours

🟡 HIGH (Priority 2)

  • Malware on CUI systems
  • Unauthorized access attempts
  • Denial of Service attacks
  • Insider threat indicators

Response Time: Within 2 hours

Reporting: Internal escalation required

🟢 MEDIUM (Priority 3)

  • Policy violations
  • Suspicious network activity
  • Failed access attempts
  • System anomalies

Response Time: Within 8 hours

Reporting: Standard documentation

🔵 LOW (Priority 4)

  • Minor configuration issues
  • Non-CUI system incidents
  • Environmental alerts
  • Routine security events

Response Time: Within 24 hours

Reporting: Log entry only

5. Incident Response Lifecycle

1

Preparation

Establish IR capabilities, train personnel, maintain tools and procedures

2

Detection & Analysis

Monitor systems, analyze alerts, validate incidents, assess impact

3

Containment

Isolate affected systems, prevent spread, preserve evidence

4

Eradication

Remove threats, patch vulnerabilities, strengthen defenses

5

Recovery

Restore systems, monitor for threats, return to operations

6

Lessons Learned

Document findings, update procedures, conduct training

CMMC Integration: Each phase must maintain CUI protection and include documentation for CMMC assessments. All activities must be logged and evidence preserved for potential DoD review.

6. Detection and Analysis Procedures

Detection Sources

  • SIEM System (SPA-005): Centralized log analysis and correlation
  • Endpoint Protection (SPA-004): Anti-malware and behavioral detection
  • Network Monitoring: Firewall and IDS alerts from SPA-001
  • User Reports: Employee-reported suspicious activities
  • External Feeds: Threat intelligence and vulnerability alerts

Analysis Procedures

  1. Initial Triage: Validate alert authenticity and determine if incident involves CUI
  2. Impact Assessment: Identify affected systems, data types, and potential business impact
  3. Evidence Collection: Preserve logs, network traffic, system images, and artifacts
  4. Attribution Analysis: Determine threat actor, attack vectors, and intent
  5. Scope Determination: Map full extent of compromise across network segments
CUI Handling: Any incident involving CUI assets (CUI-001 through CUI-007) automatically escalates to Priority 1 or 2 and requires immediate CISO notification.

7. Containment and Eradication Strategies

Containment Strategies

Short-term Containment

  • Network Isolation: Immediately isolate affected systems using VLAN segmentation
  • Account Disabling: Suspend compromised user accounts in Active Directory
  • Traffic Blocking: Configure firewall rules to block malicious IPs/domains
  • System Shutdown: Power down critical systems if data exfiltration is detected

Long-term Containment

  • Patch Management: Apply security updates to all affected systems
  • Access Control Review: Audit and update permissions across all CUI systems
  • Monitoring Enhancement: Deploy additional sensors in affected network segments
  • Backup Verification: Ensure Azure and AWS backups are clean and recoverable

Eradication Procedures

  1. Malware Removal: Use enterprise anti-malware tools and manual removal techniques
  2. Vulnerability Patching: Address all identified security weaknesses
  3. System Hardening: Implement additional security controls and configurations
  4. Credential Reset: Force password changes for all potentially compromised accounts
  5. Certificate Updates: Replace any compromised digital certificates

8. Recovery and Post-Incident Activities

Recovery Procedures

  1. System Restoration: Rebuild compromised systems from clean backups
  2. Service Restoration: Gradually restore services starting with critical CUI systems
  3. Monitoring: Implement enhanced monitoring for 30 days post-incident
  4. Validation: Perform thorough testing to ensure system integrity
  5. Documentation: Update all system configurations and security baselines

Post-Incident Activities

  • Lessons Learned Meeting: Conduct within 1 week of incident closure
  • Process Improvement: Update IRP based on identified gaps
  • Training Updates: Revise training materials and conduct refresher sessions
  • Compliance Reporting: Ensure all CMMC documentation requirements are met
  • Stakeholder Communication: Brief leadership and relevant parties

9. Communication and Reporting Protocols

CRITICAL: All incidents involving CUI must be reported to DoD via DIBNet (https://dibnet.dod.mil) within 72 hours. Ensure DoD-approved medium assurance certificate is available for reporting.

Internal Communication

  • Immediate Notification: CISO and IR Manager within 30 minutes
  • Executive Brief: CEO and senior leadership within 2 hours for P1/P2 incidents
  • Employee Updates: All-hands communication for incidents affecting operations
  • Customer Notification: DoD contracting officers per contract requirements

External Reporting Requirements

  • DIBNet Reporting: Mandatory for all CUI-related incidents within 72 hours
  • Law Enforcement: Contact FBI for suspected criminal activity
  • Industry Partners: Share threat intelligence as appropriate
  • Insurance: Notify cyber insurance carrier per policy requirements

Emergency Contacts

DIBNet: https://dibnet.dod.mil

DoD Cyber Crime Center (DC3): Submit malware samples

FBI Cyber Division: (855) 292-3937

CISA: (888) 282-0870

10. Training and Exercise Programs

Training Requirements

  • All Employees: Annual cybersecurity awareness training
  • IR Team Members: Quarterly specialized incident response training
  • New Hires: Security training within 30 days of onboarding
  • Leadership: Annual executive briefing on incident response capabilities

Exercise Schedule

  • Tabletop Exercises: Quarterly scenario-based discussions
  • Functional Exercises: Semi-annual hands-on simulations
  • Full-Scale Exercise: Annual comprehensive incident simulation
  • Surprise Drills: Unannounced monthly alert tests
CMMC Requirement: Regular testing of incident response capabilities through tabletop exercises is mandatory for CMMC Level 2 compliance. Document all exercises and maintain records for assessment.