3.6.3 — Test the Plan

The One-Liner

A plan that’s never been tested is a plan that won’t work when you need it.

What It Says

Test the organizational incident response capability.

What It Actually Means

Your IR capability must be tested — not just documented. The assessor checks:

1. Testing happens. At least annually, you exercise your incident response capability. Tabletop exercises are the most common approach for small to mid-size DIB contractors: a facilitated walkthrough of a realistic scenario where the IR team discusses how they’d respond. More mature organizations may run technical simulations (red team exercises, breach simulations).

2. Testing is documented. The exercise has a record: scenario description, participants, questions discussed, decisions made, gaps identified, and improvement actions. The assessor wants to see the after-action report, not just a calendar entry.

3. Improvements result from testing. Gaps identified during the exercise lead to updates to the IR plan, additional training, or process changes. The assessor will ask: “What did you learn from the last exercise? What did you change?”

A CUI breach scenario is the most relevant for CMMC — walking through how you’d detect, contain, investigate, report to DIBCAC within 72 hours, notify the prime, and recover. Include cross-functional participants: IT, security, legal, management.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is the incident response capability tested?	Tabletop exercise or simulation conducted at least annually, with documentation

---

What to Have Ready on Assessment Day

Documents they’ll review: Incident response policy; procedures addressing IR testing; tabletop exercise scenario and materials; exercise participation list; after-action report; improvement actions and their implementation status; updated IR plan reflecting changes from the exercise

People they’ll talk to: Personnel with IR testing responsibilities; IR team members who participated; information security personnel

Live demos they’ll ask for: “Show me the scenario from your last tabletop exercise.” “Show me the after-action report. What gaps were found?” “What changes were made to the IR plan as a result?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “When did you last test your IR capability? Show me the documentation.”
• “What was the scenario? Did it involve CUI?”
• “Who participated? Was it just IT or did you include legal and management?”
• “What gaps were identified? Show me the after-action report.”
• “What changes were made to the IR plan based on the exercise findings?”
• “Is IR testing conducted at least annually?”

Real-World Example

A defense contractor runs an annual tabletop exercise in October. The 2024 scenario: a phishing email leads to a compromised admin credential, the attacker accesses the CUI SharePoint site, and data exfiltration is detected by Sentinel three hours later. Participants: IT Security Lead, two sysadmins, CEO, and company attorney. The facilitator walks through the scenario in phases — detection, analysis, containment, DIBCAC reporting, recovery, and communication. Key findings: the team was uncertain about who authorizes system isolation (resolved: IT Security Lead has authority), the attorney wasn’t sure of the exact DIBNet reporting steps (resolved: attorney added to annual DIBNet access verification), and the containment procedure didn’t address cloud-hosted CUI (resolved: added Azure-specific containment steps to the IR plan). The after-action report documents all findings and improvement actions with owners and deadlines. The assessor reviews the scenario, the after-action report, and the updated IR plan.

---

Where Companies Trip Up

Never tested. The IR plan has existed for two years but has never been exercised. The assessor asks “when did you last test?” and the answer is never. Schedule an annual tabletop — it takes 2-3 hours and is one of the highest-value exercises you can do.

No documentation. A tabletop was held but there’s no after-action report. The assessor needs evidence: scenario, participants, findings, improvements. Document everything.

No improvements. The exercise identified three gaps but the IR plan was never updated. Testing without improvement is compliance theater. Every gap should have an improvement action with an owner and deadline.

IT-only exercise. Only the IT team participates. Incident response involves legal (DIBCAC reporting, contractual obligations), management (executive decisions, communication), and potentially HR (insider threats). Include cross-functional participants.

---

How to Talk About This

To a CEO or Board

We test our IR plan annually with tabletop exercises that include IT, legal, and executive leadership. Every exercise identifies improvements, and we update the plan accordingly. Our team has practiced the 72-hour DoD reporting procedure in a realistic scenario.

To an Engineering Team

Annual tabletop exercise: CUI breach scenario. Participants: IT, security, legal, CEO. Facilitated walkthrough of all six IR phases. After-action report: findings, improvement actions, owners, deadlines. IR plan updated within 30 days of exercise. Next exercise scenario rotates: phishing → insider threat → ransomware.

---

Connected Requirements

Requirement	Why it matters here
3.6.1 — Have a Plan	The plan being tested — exercise findings feed back into plan updates
3.6.2 — Track and Report	Reporting procedures are exercised during the tabletop
3.2.2 — Role-Specific Training	IR team members need role-specific training that tabletop exercises reinforce

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: IR.L2-3.6.3 | SPRS Weight: 1 point | POA&M Eligible: Yes