Requirement text: IR.5.110: Perform unannounced operational exercises to demonstrate technical and
procedural responses.
DISCUSSION FROM SOURCE: CMMC
An organization is stronger against a cyber-attack when the incident response capability is
proven to be able to handle a live incident. Operational exercises require the use of the
operational environment by the staffed, operational personnel; they are not performed in a
test environment. By performing this practice an organization is testing their incident
response capabilities and procedures as outlined in the IR plan. These tests should be built
specifically to launch the organization’s IR process. This will involve the cyber defenders
walking through the procedures as well as using their technical solutions. Preparation for
an operational exercise might include performing a tabletop exercise to walk through the
process. This will help identify shortfalls in the process.
CMMC CLARIFICATION
This practice requires a company to be able to plan and initiate an incident response exercise
without the incident response team knowing it is going to happen. This is not about planning
an IR test with all parties involved. The purpose of this practice is to test the IR team and the
solutions, without a priori knowledge so the incident will help identify gaps in the current
procedure or technical solutions. All findings should be used within a feedback loop to
improve the IR procedures and to identify any technical shortfalls. This feedback will help
the organization prioritize the changes towards future modification.
Example 1
You are the CISO of the organization. You have been asked by the CIO to run a no notice event
to test the incident response of the cyber defense and/or response team. You are not allowed
to tell the team prior to the event starting. This request was made by the CIO for a realistic
event. You bring in a couple of your internal red team members and work with them to plan
a few local incidents to exercise the IR capabilities as created. After developing the plan, you
authorize the red team to launch the tests at 7AM on a Monday morning. You have an
employee sit (white cell) in with the DCO team and another with the red team right before
the incident response tests are launched. Each member of the white cell is asked to take
detailed notes on what is perceived at each location. This information is compiled and
presented to the CISO and the CIO at some future point. The information helps identify areas
of concern and build a prioritization for future modifications to the process.
Example 2
You are the CISO of the organization. You have your red team borrow an admin account for
a server in the data center, after the admins create an account for you. You have already
worked with the red team and created a couple incidents that will help test the IR capability
in a remote datacenter. This will help identify if the right tools and procedures are in place
to handle a remote incident. You authorize the red team to launch the tests on a Friday
evening when people are not typically at their desk. You have an employee sit (white cell)
in with the DCO team (in this case, monitor their chat line) and another with the red team
right before the incident response tests are launched. Each member of the white cell is asked
to take detailed notes on what is perceived at each location. This information is compiled
and presented to the CISO and the CIO at some future point. The information helps identify
areas of concern and build a prioritization for future modifications to the process.
References
• CMMC
• CIS Controls v7.1 19.7