Incident Response Plan (IRP)

An Incident Response Plan (IRP) is a documented set of procedures that your organization follows when a cybersecurity incident occurs. It defines what constitutes an incident, who is responsible for each aspect of the response, communication procedures (internal and external), technical response steps, and recovery processes.

An effective IRP addresses the full incident lifecycle: preparation, detection and analysis, containment, eradication, recovery, and post-incident review. For defense contractors, the IRP must include procedures for the 72-hour DoD reporting requirement and evidence preservation obligations under DFARS 7012.

Why It Matters

A documented and tested IRP is a specific CMMC requirement. The plan must be more than a document on a shelf — it should be tested through tabletop exercises and known by all personnel with incident response responsibilities.

Related Resources

NIST 800-53: IR-8
NIST 800-53: SA-15(10)