Incident Response for CMMC
Why Incident Response Is a CMMC Priority
Incident response (IR) is one of the most scrutinized control families in CMMC assessments. The DoD doesn’t just want to know you have an IR plan, it wants evidence that you can execute it. A plan that lives in a drawer is not a passing control.
The Three Core IR Requirements (NIST 800-171)
3.6.1 — Establish IR Capability
Define roles, responsibilities, and procedures for detecting, reporting, and responding to security incidents.
3.6.2 — Track, Document & Report
Track all incidents. Report to appropriate authorities, including mandatory DoD notification when CUI is involved.
3.6.3 — Test IR Capability
Conduct at least annual tabletop exercises or simulations. Document results as assessment evidence.
The Incident Response Lifecycle
Detect & Identify
Contain
Eradicate
Report to DoD
Recover
Post-Incident Review
What a CMMC-Ready IR Plan Must Include
| Requirement | Description |
|---|---|
| Scope and purpose | What events qualify as a security incident. |
| Roles and responsibilities | IR team members, escalation paths, executive sponsor. |
| Detection and analysis | How incidents are identified and triaged. |
| Containment, eradication, and recovery | Step-by-step response procedures. |
| CUI breach reporting | Specific procedures for CUI compromise, including DoD DISA reporting. |
| Post-incident review | Root cause analysis and lessons learned process. |
| Testing schedule | Documented annual tabletop exercise or simulation. |
The Reporting Window Is Collapsing
Cyber incident reporting requirements for contractors handling CUI are shrinking fast. What used to be a 72-hour window is rapidly moving toward near real-time reporting. Most organizations are not built for this.
Critically: the clock starts at detection, not resolution. This is not just a tighter deadline. It fundamentally changes how compliance must operate. Traditional manual IR workflows were built for days. They cannot operate within minutes.
72 Hrs (DFARS)
8 Hrs (CISA)
1 Hr (GSA)
Real Time
From Manual Process to Automated Response
Traditional Model
Manual detection → internal escalation → investigation → legal review → reporting. Built for days. Cannot compress into a 1-hour window.
The New Requirement
Continuous device-level monitoring, automated threat detection, pre-configured reporting workflows, and immediate structured notification.
Espresso Labs
24/7 monitoring, AI-assisted threat triage, automated response playbooks, and built-in incident documentation — from detection to reportability without delay.
Documentation Is Automatic, Not Assembled
When an incident occurs, actions are documented in real time as events unfold. Required reporting data is captured automatically, not scrambled together after the fact. Espresso Labs ensures your incident records are always structured, timestamped, and ready for DoD submission.
DoD Reporting Requirements
| Requirement | Details |
|---|---|
| 72-hour rule | Report potential CUI compromise to the DoD via the DIBNet portal within 72 hours of discovery. |
| Preserve evidence | Do not wipe or rebuild affected systems until forensics are complete. |
| Flow-down reporting | If you are a subcontractor, notify your prime. Their obligations extend to your incident. |
| Cooperate with DoD | Contractors may be required to provide system access during a DoD investigation. |
Common IR Failures in Assessments
| Failure | What Assessors Look For |
|---|---|
| No evidence of testing | Records of tabletop exercises with dates and participants, not just a plan. |
| No CUI-specific procedures | Generic IR plans that don’t address CUI breach reporting fail CMMC requirements. |
| Incomplete contact lists | Current DoD POC information — outdated contacts are a common assessment finding. |
| No post-incident documentation | Evidence of after-action reviews and documented improvement actions. |