This post provides a practical, actionable roadmap to go from zero to a compliant operational incident-handling capability that satisfies NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control IR.L2-3.6.1 by covering preparation, detection, analysis, containment, recovery and user response—targeted at small businesses and contractors handling Controlled Unclassified Information (CUI).
What IR.L2-3.6.1 requires and the compliance artifacts you need
IR.L2-3.6.1 requires an organization to establish and maintain an incident-handling capability that explicitly addresses preparation, detection, analysis, containment, recovery and user response. For compliance evidence you will want: an Incident Response (IR) Policy, an IR Plan, documented playbooks for common incident types (phishing, malware, data exfiltration, insider misuse), roles and responsibilities (IRT roster), logs and alerts showing detection and response actions, tabletop exercise reports, after-action reports (AARs), and metrics (MTTD/MTTR) tracked over time.
Preparation: build the bones of your program
Begin with policy and inventory. Create a short IR Policy that references IR.L2-3.6.1 and a concise IR Plan listing team members (IR Lead, IT Lead, Legal/P&O contact), escalation criteria, communication templates, and retention requirements (e.g., preserve logs and forensic images for 1 year or per contract). For a small business: assign an IR Lead (could be the IT Manager), create a 24/7 contact roster (use on-call rotations or an MSSP), and document the tools you will rely on—SIEM (Elastic/Wazuh/Cloud-native), EDR (Microsoft Defender, CrowdStrike), firewall logs, MFA logs, and cloud audit trails (AWS CloudTrail, Azure Activity Logs). Set concrete SLAs like MTTD < 4 hours for high-severity incidents and MTTR < 72 hours for containment/recovery steps, and map these SLAs to contracts where applicable.
Detection and analysis: instrument, alert, and validate
Detection must be practical: centralize logs from endpoints, identity providers, email gateways, firewalls, and cloud APIs into a SIEM or log archive. For a budget-conscious small business, enable Microsoft 365 Audit Logs, Azure Sentinel free tier or Wazuh on a small VM, and deploy Defender for Office365 for phishing detection. Create parsers and alerts for specific indicators: multiple failed logins followed by successful access from a new geo, large outbound data transfers to uncommon destinations, or EDR telemetry showing process injection. Implement analyst playbooks to validate alerts—what to check first (user agent, IP history, session logs), how to triage (isolate host, verify CUI access), and how to escalate to legal or leadership. Always record timestamps, alert IDs, and remediation steps in the incident ticket to satisfy compliance evidence requirements.
Containment and technical response: playbooks and actions
Containment playbooks must be prescriptive and tested. Example playbook for a compromised workstation: (1) isolate the host from the network via NAC or endpoint quarantine, (2) take a volatile memory capture (using accredited tooling like FTK Imager or Belkasoft for evidence), (3) collect disk image (dd or vendor tool) and record SHA256 hashes for chain-of-custody, (4) disable compromised accounts and revoke active sessions (identity provider forced sign-out), (5) block malicious IPs/signatures at the firewall/IDS, and (6) spin up a clean host image to restore business functions. For data-exfiltration suspicion, immediately snapshot cloud storage buckets and enable object-level logging to preserve evidence. Document each step with who performed it, the timestamp, and the justification. These artifacts are exactly what assessors look for under IR.L2-3.6.1.
Recovery and post-incident actions
Recovery is more than "reimage and reopen." Plan and test restorations: maintain immutable backups (3-2-1 strategy) and perform periodic restore drills to confirm that backups are intact and recovery times meet contract requirements. After containment, follow a documented clean-up: patch exploited vulnerabilities, rotate credentials and certificates, apply endpoint hardening baselines, and update detection signatures or SIEM rules to detect the attack vector next time. Produce an AAR that contains timeline, root cause, impacted CUI, lessons learned, mitigations applied, and follow-up tasks assigned with due dates. These reports feed your continuous improvement loop and provide compliance evidence.
User response, communication templates and legal considerations
IR.L2-3.6.1 expects a user response element—prepare user-facing templates and channel plans ahead of time. Create ready-made email and internal message templates for: suspected phishing, confirmed breach affecting CUI, and "all clear" messages. Define who communicates externally (PR or Legal) and who notifies customers or DoD contracting officers if CUI is implicated. If a small business lacks in-house legal, have an on-call counsel retainer or documented escalation to your prime contractor. Keep scripted guidance for user actions (change password, MFA re-enroll, avoid forward/backup of suspected files) and FAQs to reduce help desk load during incidents.
Testing, metrics and documentation for auditors
Regular exercises prove the capability works. Run quarterly tabletop exercises covering at minimum phishing leading to credential theft, ransomware on a file server, and cloud misconfiguration leading to exposure. Use simulated alerts to measure MTTD and MTTR and capture all artifacts: playbooks invoked, tickets, logs exported, AARs and evidence hashes. Map each artifact to IR.L2-3.6.1 in your compliance binder (policy = evidence, playbook = procedure, logs and AAR = execution). For small shops, a short evidence index (spreadsheet with artifact name, location, retention period and mapping to the control) dramatically simplifies an assessor review.
Risks of not implementing an operational IR capability
Without this capability you risk uncontrolled CUI exposure, contract penalties or loss of contracts, delayed breach notification that attracts regulatory fines, operational downtime from ransomware or persistent intruders, and reputational damage. Practically, a poorly handled incident can lead to missed evidence (no forensic image, no logs), which both undermines recovery and fails compliance proof—resulting in corrective action plans or decertification for CMMC Level 2.
Summary: Implementing IR.L2-3.6.1 is a pragmatic program—start with a thin-but-complete policy and plan, instrument detection using affordable or managed tooling, build and test playbooks that cover containment and recovery, prepare user and external communications, and prove the capability through exercises and documented artifacts. For small businesses, lean on cloud-native tools and MSSPs if needed, but ensure you retain control of evidence and documentation so you can demonstrate compliance and, more importantly, minimize business impact when incidents occur.
