Skip to main content
NetStable
🚨 3 Practices NIST 3.6.1 - 3.6.3

Incident Response Policy

Incident Response Domain (IR)

Overview Why It Matters Requirements Roles Implementation CMMC Mapping Evidence Common Gaps Template Guide

📖 What This Policy Covers

Incident Response is your organization's emergency playbook -- what happens when things go wrong. This policy covers your incident response plan and team structure, detection mechanisms and alert routing, the full incident lifecycle (preparation, detection, containment, eradication, recovery, lessons learned), severity classification, DoD DIBNET reporting requirements (72-hour rule for CUI incidents), incident documentation and metrics, and regular testing through tabletop exercises and technical drills.

Purpose

This policy ensures that security incidents are detected and responded to promptly, CUI is protected during and after incidents, incident response activities are coordinated and effective, lessons learned from incidents drive security improvements, and the organization meets CMMC Level 2 incident response requirements.

Scope

Applies to any event that threatens confidentiality, integrity, or availability of CUI or organizational systems. Covers all information systems, networks, applications, and devices. Includes all employees, contractors, vendors, and partners. Incident types covered: malware, ransomware, data breaches, unauthorized access, denial of service, insider threats, and physical security breaches.

🎯 Why It Matters

Every organization will face a security incident -- the question is when, not if. The average cost of a data breach is $4.45M (IBM 2023), but organizations with tested incident response plans save $2.66M on average. For defense contractors, CUI incidents must be reported to DoD DIBNET within 72 hours (DFARS 252.204-7012). A poorly handled incident can result in contract loss, legal liability, and reputational damage. Despite having only 3 CMMC practices, this domain is disproportionately important because it's tested through exercises and real incidents.

🔐 Key Requirements

1. Incident Response Capability

IR.L1-3.6.1

Establish and maintain a documented incident response plan, trained team, and detection capabilities.

  • Written IR Plan covering: detection mechanisms, severity classification (Critical/High/Medium/Low), escalation procedures, response playbooks, communication protocols, recovery procedures, post-incident activities
  • Incident Response Team (IRT) with defined roles: Team Lead, Security Analysts, IT Operations, Legal, HR, PR
  • 24/7 on-call rotation with primary + backup
  • Detection capabilities: automated (SIEM, IDS/IPS, EDR, DLP, AV) and manual (user reports, audit reviews, threat hunting)
  • Forensic toolkit: air-gapped workstation, write-blockers, FTK/EnCase/Volatility/Autopsy
  • Secure communication channel (Signal, encrypted email) for incident coordination
  • Plan reviewed annually or after major incidents

2. Incident Handling (NIST Lifecycle)

IR.L2-3.6.2

Follow the NIST incident response lifecycle: preparation, detection/analysis, containment, eradication, recovery, and post-incident activity.

  • Initial triage within 15 minutes: validate incident, gather IOCs, classify severity
  • Severity levels: CRITICAL (CUI breach, ransomware), HIGH (malware on CUI system), MEDIUM (phishing clicked), LOW (caught by AV)
  • CRITICAL/HIGH: page IRT Lead + CISO immediately; MEDIUM: notify within 1 hour; LOW: daily digest
  • Containment: isolate affected systems, block malicious IPs/domains, disable compromised accounts, preserve evidence (memory dump before shutdown)
  • Eradication: remove malware/backdoors, rebuild compromised systems from clean backups, verify eradication with IOC scans
  • Recovery: restore from clean backups, phased service restoration with enhanced monitoring for 30 days
  • Recovery timeframes: CRITICAL 4-8 hours, HIGH 24 hours, MEDIUM 72 hours
  • Post-incident: lessons learned meeting within 7 days, written incident report, update IR plan/playbooks, track remediation via POA&M

3. Incident Tracking & Reporting

IR.L2-3.6.3

Document all incidents, track metrics, and fulfill external reporting obligations.

  • Incident ticket with unique ID (INC-YYYY-####): classification, timeline, personnel, evidence, communications, outcome
  • Real-time updates (hourly during active response), objective facts, chain of custody for evidence
  • Monthly metrics: volume by severity/type, MTTD, MTTR, systems affected, root cause, estimated cost
  • DoD DIBNET reporting: CUI incidents reported within 72 hours per DFARS 252.204-7012
  • Other reporting: law enforcement (FBI), customer notifications per contract, state breach notification laws, cyber insurance
  • Threat intelligence sharing: DOD DIBNET, ISACs, anonymized IOCs

4. Incident Response Testing

IR.L1-3.6.1 IR.L2-3.6.2

Regular testing through tabletop exercises and technical drills.

  • Quarterly tabletop exercises with IRT members: ransomware, phishing, insider threat, DDoS scenarios
  • Annual technical drills: red team exercise, forensic evidence collection drill, backup restoration drill
  • Exercise outcomes documented: gaps identified, decisions tested, plan updates
  • Post-exercise: action items assigned with owners and due dates

👥 Roles & Responsibilities

CISO

  • Overall accountability for incident response program
  • Declare major incidents and authorize response actions
  • Communicate with executive leadership and customers
  • Determine DoD DIBNET reporting requirements

Incident Response Team (IRT)

  • Team Lead: coordinate all response activities
  • Security Analysts: investigate incidents, analyze forensic data
  • IT Operations: contain threats, restore systems
  • Legal: advise on obligations, evidence handling
  • HR: coordinate personnel actions for insider threats

SOC / IT Security Operations

  • Monitor security alerts 24/7
  • Perform initial triage and classification
  • Escalate to IRT per severity thresholds
  • Execute containment actions per IRT guidance

All Employees

  • Report suspicious activity via incident hotline or email immediately
  • Do not attempt to investigate or remediate independently
  • Preserve evidence (don't delete emails, don't wipe devices)
  • Cooperate with investigations

🛠️ Implementation Roadmap (8 Weeks)

1

Plan Development

Weeks 1-2
  • Week 1: Draft IR Plan using NIST SP 800-61 template: list CUI systems, define severity levels, document escalation paths, create contact list, develop playbooks (ransomware, phishing, data breach, insider threat)
  • Week 2: Review with stakeholders (IT, Legal, HR, executives), incorporate feedback, get CISO + CEO signatures, publish to intranet
2

Team Formation & Training

Weeks 3-4
  • Week 3: Assign IRT roles, establish on-call rotation, set up communication channels (Slack #incident-response, Zoom bridge, encrypted email list)
  • Week 4: 8-hour IRT workshop (lifecycle, plan walkthrough, forensic tools, DIBNET reporting), company-wide 15-min training ('How to Report Security Incidents'), publish hotline number
3

Tool Deployment

Weeks 5-6
  • Week 5: Deploy incident ticketing (Jira Service Desk / ServiceNow) with workflow, configure email notifications, create dashboard
  • Week 6: Procure forensic workstation (air-gapped + write-blockers + tools), deploy EDR with forensic features (CrowdStrike, Defender ATP), enable memory dump capability
4

Testing & Validation

Weeks 7-8
  • Week 7: Conduct tabletop exercise -- ransomware encrypts 50 workstations including 10 with CUI. Document gaps and action items.
  • Week 8: Test hotline, test escalation paging (verify IRT paged within 5 minutes), test DIBNET access, CISO signs operational readiness certification

Recommended Tools

Jira Service Desk / ServiceNow (incident ticketing)CrowdStrike Falcon / Microsoft Defender ATP (EDR with forensics)FTK Imager / Autopsy / Volatility / Wireshark (forensic tools)PagerDuty / Opsgenie (on-call alerting)Signal / encrypted email (secure communications)Splunk / Azure Sentinel (SIEM for detection)

📊 CMMC Practice Mapping

Practice ID Requirement Policy Section
IR.L1-3.6.1 Establish incident handling capability 1, 4
IR.L2-3.6.2 Detect, analyze, contain, eradicate, recover 2
IR.L2-3.6.3 Track, document, report incidents 3

📋 Evidence Requirements

These are the artifacts a C3PAO assessor will ask for. Start collecting early.

Incident Response Policy + Plan

Format: PDF
Frequency: Annual review or after major incidents
Contents: This policy (signed) plus the detailed IR Plan with playbooks and contact lists
Tip: The plan is a separate document from the policy. The plan has the tactical details (contact lists, playbooks). Keep both current.

IRT Roster

Format: Excel/PDF
Frequency: Quarterly or when changes occur
Contents: Name, role, primary phone, backup phone, email for each IRT member
Tip: Include backup contacts for each role. Test phone numbers quarterly.

Tabletop Exercise Report

Format: PDF
Frequency: Quarterly (save last 4 for audit)
Contents: Scenario, participants, timeline of decisions, gaps identified, action items with owners and due dates
Tip: Assessors want to see that you actually test your plan, not just that you have one. Document both what went well and what needs improvement.

Sample Incident Report

Format: PDF
Frequency: Per incident (save all for audit)
Contents: Sanitized report showing full lifecycle: detection, triage, containment, eradication, recovery, lessons learned
Tip: If you haven't had a real incident, use the tabletop exercise as your sample. Show the full documentation workflow.

Incident Metrics Dashboard

Format: PDF screenshot
Frequency: Monthly
Contents: Last 12 months of metrics: incident count by severity, MTTD, MTTR, top incident types
Tip: If you've had zero incidents, that's fine -- document 'No security incidents reported' in your monthly reports. Show the monitoring is active.

DoD DIBNET Submission Confirmation

Format: PDF/Email
Frequency: Per CUI incident or annual attestation
Contents: Screenshot of DIBNET submission confirmation for any CUI incidents. If none, document 'No CUI incidents to report.'
Tip: Verify your DIBNET credentials work before you need them. Test access during implementation phase.

Forensic Tool Inventory

Format: Excel
Frequency: Annual
Contents: Tool name, version, purpose, license status for all forensic tools
Tip: Keep tools updated. Include both software (FTK, Volatility) and hardware (write-blockers, forensic workstation).

Training Records

Format: PDF/Excel
Frequency: Annual for IRT, ongoing for awareness
Contents: IRT workshop attendance with agenda, company-wide awareness training completion rates
Tip: Target 100% completion for company-wide awareness training. IRT members should have role-specific training documentation.

⚠️ Common Gaps (What Assessors Flag)

1. IR plan exists but has never been tested

Why this happens: Created the document for compliance but never conducted a tabletop exercise. Team doesn't know the plan.
How to close the gap: Schedule quarterly tabletop exercises (start with a simple scenario). Involve IRT + at least one executive sponsor. Document outcomes and track action items.

2. No defined severity levels or escalation criteria

Why this happens: Every incident is treated ad hoc. There's no agreement on what constitutes 'critical' vs. 'low' severity.
How to close the gap: Define 4 severity levels with specific examples and escalation triggers. Map to response SLAs. Get CISO sign-off.

3. DIBNET reporting capability not established

Why this happens: Organization hasn't needed to report yet, so DIBNET credentials were never set up or tested.
How to close the gap: Register at dibnet.dod.mil immediately. Verify credentials work. Add DIBNET reporting to your incident playbook with the 72-hour deadline clearly documented.

4. No forensic evidence preservation procedures

Why this happens: When incidents occur, the first instinct is to reboot or wipe the system, destroying volatile evidence.
How to close the gap: Train IRT on evidence preservation: memory dump first, then disk image. Purchase a forensic workstation and write-blockers. Include 'preserve evidence' as step 1 in all playbooks.

📝 Template Customization Guide

When filling in the downloadable template for this policy, replace these placeholders with your organization's specifics:

[COMPANY NAME]

Your organization's legal name

Example: Acme Defense Systems, LLC

[CISO Name]

Name of your CISO or IT Director

Example: Jane Smith

[1-800-XXX-XXXX]

Your incident reporting hotline number

Example: 1-800-555-0199

[[email protected]]

Your incident reporting email

Example: [email protected]

[Incident Response Plan Appendix A]

Location of your IRT contact list

Example: SharePoint: /sites/Security/IR-Plan/Appendix-A.pdf

Customization Tips

  • 💡 The IR Plan is a separate, more detailed document from this policy -- create both
  • 💡 Adjust recovery timeframes based on your actual RTO/RPO capabilities
  • 💡 For small organizations, the IRT may be 3-4 people wearing multiple hats -- document who covers which role
  • 💡 If you can't afford 24/7 SOC coverage, use automated alerting (PagerDuty) as your off-hours coverage and document this
  • 💡 Create at least 3 playbooks (ransomware, phishing, data breach) -- these are the most common scenarios assessors ask about
  • 💡 Practice DIBNET reporting with a test submission so the team knows the process

📚 Related Policies

Access Control Policy Audit and Accountability Policy Configuration Management Policy Media Protection Policy System and Information Integrity Policy
Previous
IA Policy
All Policies
Next
MA Policy