Tracking, documenting, and reporting incidents is a cornerstone requirement of NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2 (IR.L2-3.6.2), and for small and medium-sized businesses (SMBs) this means implementing affordable, repeatable processes that preserve evidence, meet contractual reporting timelines, and reduce business impact.
Why this control matters for Compliance Frameworks
IR.L2-3.6.2 is intended to ensure your organization can demonstrate you detected, recorded, and communicated incidents affecting Controlled Unclassified Information (CUI) and other sensitive assets. For contractors subject to DFARS and CMMC 2.0, this also ties into contractual obligations (for example DFARS 252.204-7012 style reporting expectations) requiring timely notification to DoD or prime contractors. A documented incident trail is essential for forensic analysis, regulatory investigations, insurance claims, and contract compliance.
Practical implementation checklist (actionable steps)
Implement the following checklist tailored to SMBs to meet IR.L2-3.6.2: 1) Create an Incident Response (IR) policy that defines roles, SLAs, and reporting requirements; 2) Build an IR playbook with step-by-step actions for phishing, ransomware, data exfiltration, and insider incidents; 3) Deploy centralized logging and at least basic SIEM or log-aggregation (Wazuh + ELK, Graylog, or cloud alternatives like Azure Sentinel or AWS GuardDuty + CloudTrail); 4) Integrate Endpoint Detection and Response (EDR) on all endpoints (Microsoft Defender for Endpoint, CrowdStrike, or open alternatives like OSQuery + Sysmon + Wazuh); 5) Implement a ticketing system for incidents (Jira, ServiceNow, or a lightweight system such as Freshservice) and ensure every incident receives a unique ID and lifecycle tracking; 6) Establish notification templates and escalation paths including legal, PR, contracting officer points of contact (POC), cyber insurance, and law enforcement; 7) Train staff and run tabletop exercises twice yearly and after major changes.
Technical implementation details
Technical specifics SMBs should implement include: synchronize all devices and logs to a reliable time source (NTP) to preserve timeline integrity; collect logs from endpoints (Sysmon / EDR), network devices (firewalls, VPN concentrators), email gateways (proofpoint, Mimecast), cloud services (CloudTrail, CloudWatch, Azure Activity Log), and identity providers (Azure AD sign-in logs, Okta). Configure retention policies—retain raw incident logs and forensic snapshots offsite or in an immutable store for at least the contractual period (commonly 1–3 years unless contract states otherwise). Automate alert-to-ticket creation using webhooks or SOAR playbooks where possible to reduce human latency and preserve IOCs immediately.
Documentation, evidence preservation, and reporting requirements
Document every incident using a consistent template: incident ID, discovery timestamp, detection source, impacted assets and data types (explicitly call out CUI), scope (users/systems), IOCs (IP, hashes, domain names), containment actions, remediation timeline, root cause analysis, evidence location (hashes and storage path), and notifications issued (who, when, method). For CMMC/DFARS-relevant incidents, ensure you can produce the 72-hour initial report to the DoD (or prime contractor), and preserve forensic images, memory captures, and logs as required by contract for forensic review. Use write-once storage or immutable backups for evidence (object lock in S3 or WORM storage) to prevent tampering.
Real-world SMB scenarios and examples
Example 1 — Phishing with CUI exposure: An employee clicks a phishing link and forwards an invoice containing CUI. Detection: email gateway flagged URL and EDR shows abnormal exfil attempts. Actions: isolate laptop from network, snapshot disk and memory (FTK Imager / dd), export EDR logs, update ticket with IOCs, and notify contracting officer within 72 hours if CUI was exposed. Example 2 — Ransomware encrypts file server: Detection via endpoint alerts and file-integrity monitoring. Actions: disconnect affected segment, present immutable backup evidence, restore from verified offsite backup, document timeline, and report to insurer and prime contractor per contract. In both cases, a clear documentation trail and preserved evidence determine contractual compliance and insurance outcomes.
Compliance tips and best practices
Focus on the lowest-cost high-impact controls: enable EDR and endpoint logging, centralize logs, and set up simple automated alerts for high-risk events (privileged account use outside business hours, large data transfers to unapproved cloud storage, or unusual admin activity). Maintain an updated asset inventory and data map so you can quickly identify whether an incident touches CUI. Pre-authorize a retained forensic vendor in contracts so you can engage immediately. Practice tabletop exercises using real incident templates and include contract-specific reporting steps (who at the DoD, prime contractor COR details). Finally, keep your incident documentation auditable—use immutable timestamps, enforced access controls, and a chain-of-custody record for all evidence.
Risk of not implementing IR.L2-3.6.2
Failing to properly track, document, and report incidents increases legal and financial exposure: loss of DoD contracts, contract termination, fines, uninsured losses, reputational damage, and greater remediation costs due to delayed detection and containment. For SMBs handling CUI, noncompliance can trigger mandatory notifications, contract cancellation, or inability to bid on future government work. From a security perspective, inadequate documentation prevents effective root cause analysis, leading to repeated breaches and systemic vulnerabilities.
Summary
For SMBs, meeting IR.L2-3.6.2 is about building pragmatic, repeatable processes: enforce endpoint and network telemetry, centralize logs, preserve evidence immutably, document each incident with a standard template, and meet contractual reporting timelines (e.g., the 72-hour expectation where applicable). Start small—deploy EDR and a log-aggregation tool, create an incident template and escalation path, and run regular exercises. These steps protect your organization’s data, maintain contract compliance, and reduce the operational and financial impact of incidents.
