NIST 800-171 • LEVEL 2 • INCIDENT RESPONSE
3.6.3 — Incident Response Testing
Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations. Incident response testing can include a determination of the effects of incident response on organizational operations, organizational assets, and individuals. Qualitative and quantitative data can help determine the effectiveness of incident response processes.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- the effectiveness of the incident response capability is tested {{ insert: param, A.03.06.03.ODP.01 }}.
Practitioner Notes
Having an incident response plan is not enough — you have to test it. Run exercises to find out if your team actually knows what to do when things go sideways. A tabletop exercise where you walk through a scenario together is far better than finding out your plan does not work during a real breach.
Example 1: Conduct a tabletop exercise at least annually. Pick a realistic scenario — say, a ransomware attack that encrypts file shares containing CUI. Gather your IR team, IT staff, management, and legal. Walk through the scenario step by step: Who detects it? Who does the Incident Commander call first? How do you isolate affected systems? Where are your backups? Document the exercise, including gaps identified, and update your IRP based on lessons learned.
Example 2: Use an adversary simulation tool like Atomic Red Team (free, open-source) to test your detection capabilities. Run specific MITRE ATT&CK technique tests — for example, test T1059.001 (PowerShell execution) by running Invoke-AtomicTest T1059.001 on a test workstation. Verify that your EDR (Defender for Endpoint, CrowdStrike, etc.) detects and alerts on the activity. If it does not, you have found a gap to fix before a real attacker exploits it.