Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - IR.L2-3.6.1 – Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
Understanding the Requirement
This control requires your organization to have a working incident response capability: a designated team, documented plan, and repeatable processes that cover the full incident lifecycle—preparation, detection, analysis, containment, recovery, and user-facing response activities. Under the NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 framework, the emphasis is on having operational procedures and trained people who can act quickly and consistently when incidents occur, plus a feedback loop to improve the capability over time.
Technical Implementation
- Establish roles and contacts. Create an incident response (IR) team with primary and backup contacts (include employees with information security responsibilities and system/network administrators). Maintain a simple distribution list and a dedicated incident email (for example, security@yourdomain.com) and publish an internal phone escalation list for high-severity events.
- Document an IR plan and playbooks. Produce a short, actionable incident response plan that defines scope, responsibilities, escalation criteria, communication templates, and step-by-step playbooks for common incidents (malware, phishing, lost devices, account compromise). Keep playbooks one page per incident type so responders can act under pressure.
- Detection and monitoring basics. Deploy affordable detection tools appropriate to your environment—endpoint detection & response (EDR) on workstations/servers, centralized logging or a lightweight SIEM, and email security/anti-phishing controls. Configure alerts for suspicious activity and route those alerts to the IR email and an on-call person.
- Containment and analysis procedures. Define quick containment steps (isolate endpoints, disable accounts, block network access) and a checklist for initial triage: preserve evidence, capture process and network indicators, and determine scope. Train admins how to snapshot systems and collect logs safely to support analysis.
- Recovery and restoration. Maintain tested backups and documented restore procedures. Include a recovery checklist that covers secure rebuilds, malware scans, credential resets, and staged return-to-service. Ensure a rollback/restore decision point is part of every playbook.
- Training, exercises, and lessons learned. Conduct tabletop exercises twice a year and a technical drill annually (e.g., isolate and rebuild a compromised workstation). After every incident or drill, perform a short lessons-learned review and update playbooks, contact lists, and user guidance accordingly.
Example in a Small or Medium Business
A mid-sized engineering firm runs EDR on all employee workstations and routes EDR alerts to security@engineeringco.com. One afternoon an analyst receives an EDR alert that John's laptop is exhibiting ransomware-like behavior. The analyst follows the company's malware playbook: they immediately disconnect John's laptop from the network, notify the IR team via the published escalation list, and preserve a volatile memory snapshot for analysis. The incident lead confirms the scope by checking centralized logs and determines the infection is isolated to John's device. The team restores John's work environment from known-good backups, resets his credentials, and scans for any lateral activity on file shares. Communications are sent to affected users with clear recovery expectations and steps to avoid reinfection (for example, change passwords and forward suspicious emails to security@engineeringco.com). After the event, the IR team runs a lessons-learned session, updates the malware playbook to shorten detection-to-isolation time, and schedules a brief all-staff reminder about phishing indicators and the incident reporting address.
Summary
For SMBs, meeting IR.L2-3.6.1 is practical and achievable with a combination of concise policy, designated people, and focused technical controls. A clear incident response plan, defined roles and contacts, basic detection tools (EDR/logging), one-page playbooks for common incidents, regular exercises, and a lessons-learned loop together provide an operational incident-handling capability that covers preparation, detection, analysis, containment, recovery, and user response activities. Start small, document everything, and iterate after each exercise or real incident to build a reliable and repeatable IR capability.
