This post walks you through a practical, step-by-step approach to implement an operational incident-handling capability to satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 Control IR.L2-3.6.1 so your organization can detect, contain, recover from, and learn from cybersecurity incidents affecting Controlled Unclassified Information (CUI).
What IR.L2-3.6.1 Requires (Quick summary)
IR.L2-3.6.1 requires an operational incident-handling capability for organizational systems — that means documented policies, defined roles and responsibilities, detection and analysis capabilities, containment/eradication/recovery procedures, and a continuous improvement loop that includes reporting to stakeholders and (where applicable) DoD/contractual reporting within required timelines.
Step-by-step implementation plan
1) Governance, policy and roles
Start by drafting an Incident Response (IR) policy aligned to your Information Security Program and NIST/CMMC requirements. The policy should define scope (systems that process CUI), IR objectives (minimize impact to CUI), concrete timelines (e.g., initial triage within 2 hours, escalation to leadership in 4 hours), and escalation paths. Assign roles: Incident Response Lead, IT Lead, Forensics Lead (or external provider), Legal/Privacy, Communications, and Contracting Officer Representative (COR) for government work. For a small business, designate a primary and an alternate for each role; if staffing is limited, plan for a contracted Managed Detection and Response (MDR) provider to act as Forensics Lead.
2) Detection and telemetry (technical build)
Implement logging and detection focused on CUI flows and high-value assets. Minimum technical controls: endpoint detection and response (EDR) on all Windows/macOS/Linux hosts (examples: Microsoft Defender ATP, CrowdStrike, or a managed EDR). Centralize logs into a SIEM (cloud-native options: Azure Sentinel, Splunk Cloud, or open stack: Elastic + Winlogbeat/Beats). Instrument network telemetry: firewall logs, VPN gateways, and host-based network monitoring (Zeek, Suricata). Ensure retention meets contract needs — typical baseline is 90 days hot-searchable logs and up to 1 year archived for forensics. Configure critical detections: lateral movement (suspicious SMB/PSExec usage), privilege escalation events, anomalous data transfers (large uploads from CUI repositories), and unusual account logins (impossible travel, new device). Use host-level auditing (Windows Sysmon, Linux auditd) to gather process creation, network connections, and file modifications for forensic analysis.
3) Playbooks, procedures, and evidence handling
Create actionable playbooks for 6–8 common incidents: phishing with credential compromise, malware/ransomware, data exfiltration, insider misuse, web application compromise, and loss/theft of a device containing CUI. Each playbook should include: detection indicators, triage checklist, containment steps (isolate host from network, block compromised accounts), evidence collection commands (e.g., FTK Imager or dd for disk imaging, netstat/ss, running EDR live response scripts), hash collection (SHA-256), and chain-of-custody documentation. Specify that binary images and volatile memory captures are done by trained staff or MDR provider to avoid evidence contamination. For small businesses, include a “low-effort” playbook that relies on snapshotting cloud VMs, collecting Azure/AWS CloudTrail and S3 access logs, and pulling EDR telemetry to preserve crucial evidence quickly.
4) Containment, eradication and recovery procedures
Define containment tiers: short-term containment (isolate infected systems from network but keep powered to preserve volatile evidence), targeted containment (segment compromised subnet and block C2 infrastructure at firewall), and system-wide containment for widespread incidents (disconnect guest Wi-Fi where lateral movement originated). Eradication procedures should include credential resets with 2FA enforced, patching/remediation tasks with change control, and verifying removal of persistence (scheduled tasks, services, backdoors). Recovery steps must document system rebuild or clean restore from verified backups; ensure backups are air-gapped or immutable snapshots. Maintain a checklist that ties recovery tasks to business priority systems that handle CUI so you restore sensitive systems first.
5) Reporting, metrics and continuous improvement
Build a reporting cadence: immediate internal notification to IR team and executives, formal incident report within 24–72 hours depending on contract obligations, and final lessons-learned report within 30 days that includes root cause, remediation, and planned control changes. For DoD contracts and DFARS-covered CUI, be prepared to report cyber incidents within 72 hours to DoD per DFARS 252.204-7012 and supply required artifacts where applicable (TTPs, indicators of compromise, and affected systems). Track metrics that show program effectiveness: Mean Time to Detect (MTTD), Mean Time to Contain (MTTC), number of incidents by type, percent of incidents with evidence preserved, and playbook coverage. Use tabletop exercises and simulated phishing/ransomware drills quarterly to validate playbooks and staff readiness.
Real-world small business example
Scenario: A 35-person subcontractor handling CUI receives a suspicious alert: an EDR agent flags a PowerShell process launching a base64-encoded downloader from a user workstation. Implementation: the assigned IR Lead initiates the phishing playbook, EDR isolates the host (short-term containment), IT captures a live EDR session and collects memory image using the EDR vendor's guided tools, hashes and stores evidence on an encrypted forensic server, credential resets are performed for the user, and the SIEM is queried for lateral movement indicators over the prior 48 hours. The incident is reported internally within 2 hours, and because the company is a DoD contractor it prepares a DFARS-compliant incident report within 72 hours. After eradication, the company patches the exploited application, schedules a company-wide phishing awareness micro-training, and updates its playbook to include this new IoC. This demonstrates how compact teams can operationalize IR with EDR + SIEM + documented playbooks and an MDR retainer for forensic escalation.
Risks of not implementing IR.L2-3.6.1
Without an operational incident-handling capability you face extended downtime, greater data loss (including CUI exfiltration), regulatory and contractual penalties (including loss of contracts), reputational damage, and higher recovery costs. From a compliance view, failing IR.L2-3.6.1 can leave you unable to meet DFARS/CMMC timelines, which may trigger mandatory reporting, audits, or contract termination. Technically, the absence of centralized logs and playbooks makes investigations slow and errors likely, destroying your ability to contain incidents before they escalate.
Summary: Implementing IR.L2-3.6.1 is achievable for small businesses by combining clear governance, pragmatic tooling (EDR + SIEM + network telemetry), well-written playbooks that include evidence handling, routine exercises, and a plan for contractual reporting obligations. Start with a concise IR policy, prioritize asset telemetry where CUI resides, create 6–8 playbooks tailored to your environment, and run quarterly tabletop tests. With these steps you’ll build an operational incident-handling capability that satisfies NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 while also reducing real business risk.
