NIST 800-53 REV 5 • INCIDENT RESPONSE

IR-2(1)Simulated Events

Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Organizations establish requirements for responding to incidents in incident response plans. Incorporating simulated events into incident response training helps to ensure that personnel understand their individual responsibilities and what specific actions to take in crisis situations.

Practitioner Notes

Training works best when people practice under pressure. This enhancement requires you to include realistic simulated events — like a fake phishing attack or a mock ransomware scenario — in your incident response training.

Example 1: Use KnowBe4 or Proofpoint to send simulated phishing emails to all employees quarterly. Track who clicks, who reports, and use the results to tailor follow-up training for repeat offenders.

Example 2: Run a tabletop exercise where you present a scenario — such as an employee laptop stolen from a car — and walk your IR team through each step of the response. Document decisions made and gaps identified. Tools like Immersive Labs or AttackIQ can automate parts of this.

More Incident Response Controls

IR-1 Policy and Procedures IR-2 Incident Response Training IR-2(2) Automated Training Environments IR-2(3) Breach