This post explains how to design and run tabletop exercises and technical simulations that demonstrate compliance with NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control IR.L2-3.6.3 (test incident response capability), providing practical steps, low-cost tooling, and small-business scenarios you can implement this quarter.
Why IR.L2-3.6.3 matters — key objectives and implementation notes
IR.L2-3.6.3 requires organizations to test their incident response (IR) capabilities so they can detect, contain, eradicate, and recover from incidents that affect Controlled Unclassified Information (CUI). Key objectives are to validate playbooks, exercise communication and escalation paths, confirm telemetry coverage, and measure time-to-detect (TTD) and time-to-contain (TTC). Implementation notes for Compliance Framework: map every exercise to the specific IR playbook(s), record evidence (attendance, inject timelines, logs, after-action reports), and track findings in a POA&M or remediation backlog tied to the specific NIST/CMMC requirement.
Planning tabletop exercises — roles, scenarios, and injects
Start with a short (60–120 minute) tabletop exercise to familiarize stakeholders with processes before you run technical simulations. Define roles: Incident Commander, Technical Lead, Communications Lead, Legal/Privacy, and CUI Owner. Choose 2–3 scenarios that reflect real risk to your business (phishing leading to credential compromise, lost laptop with local CUI, or a cloud misconfiguration exposing CUI). Create an inject timeline (time-0 initial incident, T+15 min new intel, T+45 min simulated user reports) and a simple evaluation rubric: Did the team follow the IR playbook? Were notifications made within the defined SLA? Were critical logs accessible? Capture attendee actions, decisions, and timestamps as evidence for auditors.
Designing technical simulations — how to test detection and containment
Technical simulations should be safe, scoped, and repeatable. Use an isolated lab or a consented production window; never run destructive tests in production without formal approval. Focus on detection and response rather than exploitation: run phishing simulations with Gophish, simulate command-and-control or lateral movement using Atomic Red Team tests (TTPs mapped to MITRE ATT&CK), or validate SIEM and EDR rule coverage with benign indicators. Collect the telemetry you’ll need for evidence: Windows Event Logs (Sysmon), EDR alerts, firewall flow logs, proxy/IDS logs, Office 365/Azure AD sign-in logs, and cloud audit logs (CloudTrail). For each test, predefine the logs/queries you’ll produce post-exercise to show the timeline of detection, analysis, containment, and recovery.
Small-business technical example
Example for a small IT services firm: simulate a phishing email that harvests credentials for a user with access to a CUI repo. Stage the test using Gophish to capture a failed login (simulated) then trigger an Atomic Red Team technique like T1078 (valid accounts) in a segmented lab. Ensure EDR generates a process creation alert and SIEM correlates Office 365 unusual sign-in with new host process activity. During the simulation, require the team to perform steps in the IR playbook: isolate the host, reset credentials, notify the CUI owner, and begin forensic collection. Use inexpensive tooling: OSQuery for endpoint visibility, Zeek/Suricata for network telemetry, Elastic Stack or Splunk Free for log aggregation, and open-source IR playbooks (adapted) for runbooks.
Evidence, documentation, and mapping to compliance
For Compliance Framework evidence, produce an After-Action Report (AAR) that maps each finding to the NIST SP 800-171/CMMC control statement IR.L2-3.6.3, includes timestamps (inject, detection, containment), lists instrumentation used (e.g., Sysmon, EDR name/version, SIEM queries), and documents corrective actions with owners and target dates. Keep exercise artifacts: attendance sheet, inject script, raw logs (or sanitized extracts), AAR, and updated playbook versions. Auditors expect artifacts demonstrating that you tested the IR capability—save them in your compliance repository and reference them in audits and POA&Ms.
Evaluation metrics and best practices
Measure concrete metrics and use them to improve: time-to-detect (TTD), time-to-contain (TTC), percent of critical playbook steps followed, percent of relevant logs available within SIEM, and success rate of evidence collection for forensic analysis. Schedule a cadence: annual full tabletop plus in-between quarterly technical simulations or vice versa depending on risk. Best practices: get C-suite buy-in, include executive injects to test decision-making, pre-authorize safe containment actions (isolation, credential resets), and use MITRE ATT&CK to select TTPs. For small businesses, document constraints (budget, staff) and use staggered exercises to build capability incrementally.
Risks of not testing and final summary
Failing to test IR.L2-3.6.3 risks undetected CUI exposure, slow containment that multiplies damage, failed audits, contract loss, and reputational damage. Without exercises you won’t know whether telemetry, processes, or personnel will perform when a real incident occurs. Summary: run short tabletops to validate process, follow with technical simulations that prove detection and containment, collect the right logs and artifacts, map findings to the control, and track remediation. Start small this quarter — pick one realistic scenario, gather your team, run a tabletop, then follow with a scoped technical simulation and an AAR to demonstrate compliance and continuous improvement.
