Incident Response

Incident response is the organized approach to detecting, containing, eradicating, and recovering from cybersecurity incidents. An incident response plan defines the roles, responsibilities, procedures, and communication protocols your organization follows when a security event occurs — who does what, when, and how.

A good incident response plan covers preparation (training, tools, contacts), detection and analysis (identifying what happened), containment (stopping the damage), eradication (removing the threat), recovery (restoring normal operations), and lessons learned (improving for next time). For defense contractors, the plan must also address DoD notification requirements for CUI incidents.

Why It Matters

CMMC requires a documented incident response capability and specific notification timelines for incidents involving CUI. Having a tested plan means the difference between a controlled response and organizational chaos when an incident occurs.

Related Resources

CMMC: IR.L2-3.6.1
CMMC: IR.L2-3.6.2
CMMC: IR.L2-3.6.3
NIST 800-171: 3.6.1
NIST 800-171: 3.6.2
NIST 800-171: 3.6.3
NIST 800-53: IR-1
NIST 800-53: IR-2