IR.L2-3.6.3

IR.L2-3.6.3: Test Incident Response

Test your incident response capability at least annually to ensure your team can execute the plan when a real incident occurs.

IR testing doesn’t require a real security incident. Most organizations don’t have one, and assessors are not skeptical about that. What they want is evidence that you sat down, walked through your incident response plan, and identified gaps. A tabletop exercise does this. This practice supports both IR.L2-3.6.1 (establishing the plan) and IR.L2-3.6.2 (tracking and reporting incidents) by validating that your procedures actually work.

Family Incident Response
Practice IR.L2-3.6.3
Difficulty Medium
Key evidence Tabletop exercise documentation, scenario, lessons learned

What the assessor is actually evaluating

The assessor is checking that you have a habit of testing. They’re not looking for perfect exercise execution or a formal report. They’re looking for: (1) You tested something against your IR plan. (2) You documented it. (3) You tracked what you found. (4) You do it regularly (at least annually).

The assessment room note is direct: “Incidents are tracked. When you did the tabletop (since no real incident), did you track the tabletop exercise in the same way you’d track a real incident?” This means treat your tabletop like an incident. Document it, note the findings, log actions.

From the assessment room

The contractor needs to demonstrate DIBNet familiarity personally. Your MSSP can't do that for you. During tabletop exercises, make sure the people in your organization are actively involved, not just observing while the MSSP runs the scenario. If the assessor asks a question about your IR procedures, it should be answered by someone from your organization, not your service provider.

What a realistic SSP definition looks like

IR.L2-3.6.3 Test Incident Response Capability

[Company] conducts a tabletop exercise of the incident response plan at least annually. The exercise involves key IR team members and walks through a simulated incident scenario from detection to closure. Findings and lessons learned are documented and tracked for remediation. The exercise is scheduled in Q[X] each year and results are reported to management.

Recent exercise: [Date], scenario [brief description], participants [list], findings tracked in [system].

How to present your evidence

Gather these items:
  • Tabletop exercise agenda and scenario (what you tested)
  • Attendance list showing who participated
  • Exercise notes or recap (what happened, what you discovered)
  • Lessons learned or findings logged (even short bullets)
  • Evidence of tracking those findings (ticket, action item, follow-up)
  • Calendar or schedule showing exercise is planned for this year
Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "When was your last incident response test?" A: "[Date]. We did a tabletop exercise with our IR team walking through a ransomware scenario." [Pull up exercise notes and findings]

Q: “Did you track it the way you’d track a real incident?" A: “Yes. We documented what we found and logged action items in [system]. Here’s the tracking record.”

Q: “What did you find in that exercise?" A: “[2-3 key findings]. We addressed [what you did about them].”

Q: “When’s your next test scheduled?" A: “[Month]. It’s on our calendar.”

Common failures

No documentation. You did a tabletop informally. No notes, no attendance record, nothing written down. Assessors can't verify it happened. Document it, even if briefly.
Findings lost. You ran the exercise, identified gaps, but never tracked them or follow up. You can't show what came from the test. Log your findings somewhere and update them as you address them.
One-time activity. You tested once and never again. IR.L2-3.6.3 requires at least annual testing. Add it to your calendar for this year and show the schedule.
You're good here. You ran a tabletop exercise last quarter with [X] participants. You documented the scenario, captured findings, and tracked them in your issue system. You have this scheduled again for [month]. Assessors move quickly past this one.
Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Anatomy of a solid tabletop exercise

A tabletop exercise doesn’t need to be formal. Gather 3-5 people (IR lead, IT, security, management). Give them a scenario: “It’s Tuesday morning. Someone reports that customer data is being exfiltrated. Walk us through what happens.”

Let them talk through it. What’s the first call? Who calls? What systems do we check? What information do we need? Where does it go wrong? What’s unclear in our plan?

Write down the problems you identify. Track them. Fix what you can. You’ve now documented an incident response test.

A meeting agenda + attendance list + brief notes on findings is sufficient evidence for most assessors. If your tabletop identifies training gaps, those should feed back into your security awareness and training program described in AT.L2-3.2.1, ensuring lessons learned from exercises translate into stronger personnel preparedness.

If you use an MSP/MSSP

If an MSP manages your IR plan or helps with testing, get them to provide documentation of the exercise they ran on your behalf. You need a record that references your environment, even if they facilitated it. Include their findings and your action items.

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← MA.L2-3.7.1: System Maintenance All Practices IR.L2-3.6.2: Incident Reporting →