CMMC IR.L2-3.6.1: Establish Incident Handling Capability
Incident handling is your organization's operational backbone for responding to security events before they escalate into breaches. CMMC Level 2 requires you to build detection, analysis, and recovery capabilities that minimize damage and restore systems quickly. This control ensures your team can detect anomalies, contain threats, and recover without panic.
What this means
This control requires you to establish a formal incident-handling capability across your information systems. You must document and implement procedures covering the entire incident lifecycle: preparation (tools, playbooks, training), detection (monitoring and alerting), analysis (determining scope and impact), containment (isolating affected systems), recovery (restoring normal operations), and user response (communication and support). Your capability must be operational, tested, and capable of responding to actual security incidents without delays.
How to comply
- 1.Document your incident-handling policy that defines roles, responsibilities, and escalation procedures for all severity levels
- 2.Create incident response playbooks for common threats (malware, data exfiltration, unauthorized access, ransomware)
- 3.Deploy monitoring and detection tools across networks and endpoints to identify suspicious activity in real time
- 4.Establish a communication protocol for notifying stakeholders, management, and affected users during incidents
- 5.Define containment procedures that specify how to isolate compromised systems while maintaining business continuity
- 6.Plan recovery processes including system restoration, data verification, and validation of normal operations
- 7.Conduct tabletop exercises and simulated incident drills at least annually to test procedures and team readiness
- 8.Maintain an incident log with details on date, time, impact, response actions, and lessons learned
- 9.Review and update incident-handling procedures annually or after each significant incident
Evidence auditors look for
- Incident Response Plan document with defined preparation, detection, analysis, containment, recovery, and response procedures
- Incident response playbooks for each common threat type specific to your organization
- Monitoring and alerting tool configurations (SIEM, antivirus, intrusion detection systems)
- Incident log entries documenting detected incidents, response actions taken, and time to resolution
- Training records showing all IT staff received incident handling training
- Tabletop exercise reports or incident simulation documentation with participants and outcomes
- Escalation procedures and contact lists for incident response team members
- System recovery procedures and backup/restore testing records
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates incident tracking, playbook execution, and response documentation so your team spends less time on logging and more time on containment—while automatically generating the evidence auditors need for IR.L2-3.6.1 compliance.
See how GRCWatch handles this control automatically
Start free trial