CMMC IR.3.099 - Test Incident Response Capability

CMMC IR.3.099 - Test Incident Response Capability

Requirement text: IR.3.099: Test the organizational incident response capability.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Organizations test incident response capabilities to determine the effectiveness of the
capabilities and to identify potential weaknesses or deficiencies. Incident response testing
includes the use of checklists, walk-through or tabletop exercises, simulations (both parallel
and full interrupt), and comprehensive exercises. Incident response testing can also include
a determination of the effects on organizational operations (e.g., reduction in mission
capabilities), organizational assets, and individuals due to incident response.

CMMC CLARIFICATION
Testing an organization’s incident response capability validates existing plans as well as
highlight lapses or changes within the environment. The test should seek to address
questions like what happens during an incident, who is responsible for incident
management, what tasks are assigned within the IT organization, what support would be
needed from legal, public affairs, or other business component, how are resources obtained
if needed during the incident, and how is law enforcement involved. Any negative impacts
to the normal day-to-day mission when responding to an incident should also be identified
and documented.

Example
As CISO, you decide to conduct an incident response table top exercise. The exercise plans
to simulate an attacker gaining access to the network through a compromised server. When
scheduling the exercise you include relevant IT staff such as security, database, network, and
system administrators. You also request a representative from legal, HR, and the
communications department. As the exercise begins you provide a scenario to the team. You
have key questions aligned with the response plans to guide the exercise. During the exercise
you focus on how the team executes the organization’s incident response plan. At the end of
the test, you conduct a debrief with everyone that was involved to provide feedback and
develop improvements to the incident response plan.

References
• NIST SP 800-171 Rev 1 3.6.3
• CIS Controls v7.1 19.7
• NIST CSF v1.1 DE.DP-3
• NIST SP 800-53 Rev 4 IR-3

    • Related Articles

    • Incident Response: SP 800-171 Security Family 3.6

      Systems are subject to a wide range of threat events, from corrupted data files to viruses to natural disasters. Vulnerability to some threat events can be lessened by having standard operating procedures that can be followed in the event of an ...

    • CMMC IR.2.092 - Establish an Operational Incident-handling Capability

      Requirement text: IR.2.092: Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recover, and user response activities. DISCUSSION FROM SOURCE: DRAFT NIST SP ...

    • CMMC IR.2.096 - Develop Incident Response Procedures

      Requirement text: IR.2.096: Develop and implement responses to declared incidents according to predefined procedures. DISCUSSION FROM SOURCE: CERT RMM V1.2 Responding to an organizational incident is often dependent on proper advance planning by the ...

    • CMMC IR.5.108 - Establish Cyber Incident Response Team

      Requirement text: IR.5.108: Establish and maintain a cyber incident response team that can investigate an issue physically or virtually at any location within 24 hours. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B A cyber incident response team ...

    • CMMC IR.5.106 - Utilize Forensic Data for Incident Response

      Requirement text: IR.5.106: In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data. DISCUSSION FROM SOURCE: CMMC Organizations need to have the ability to ...