IR.L2-3.6.3: Incident Response Testing for CMMC Level 2
Incident response testing validates that your organization can actually execute its incident response plan when a real breach occurs. Without regular testing, you risk discovering critical gaps during a live security incident—when it's too late. CMMC Level 2 requires you to demonstrate a tested, functional incident response capability.
What this means
This control mandates that your organization periodically test its incident response procedures to ensure they work in practice, not just in theory. Testing must cover key scenarios relevant to your business, involve appropriate personnel, and document results to show compliance auditors that your team can respond effectively under pressure. The goal is identifying weaknesses before an actual incident forces you to learn by doing.
How to comply
- 1.Develop a documented incident response testing schedule (tabletop exercises, simulations, or full-scale drills at least annually)
- 2.Define realistic incident scenarios based on your threat landscape and industry
- 3.Execute tests involving incident response team members, IT, management, and relevant departments
- 4.Document test execution including date, participants, scenarios, findings, and observations
- 5.Capture response times, decision-making effectiveness, communication flow, and tool functionality
- 6.Identify gaps or deficiencies revealed during testing
- 7.Create remediation plans to address identified weaknesses
- 8.Track closure of remediation items and re-test critical areas
- 9.Retain testing records and evidence for audits (typically 3 years minimum)
Evidence auditors look for
- Tabletop exercise reports with scenario descriptions, participant lists, and outcome notes
- Simulated phishing campaign results showing detection and response metrics
- Full incident response drill logs documenting timeline, actions taken, and communication records
- Post-test debriefs highlighting what worked, what failed, and corrective actions
- Signed attendance sheets and role assignments for each test event
- Incident response plan updates based on test findings
- Evidence of remediation completion (e.g., updated playbooks, new tools deployed, training conducted)
- Metrics tracking (mean time to detect, mean time to respond, containment effectiveness)
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates incident response test scheduling, generates scenario templates tailored to CMMC, tracks findings against your control requirements, and centralizes evidence collection—eliminating manual spreadsheets and ensuring consistent, auditable testing records.
See how GRCWatch handles this control automatically
Start free trial