This guide walks a small business through a practical, step-by-step implementation to satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control IR.L2-3.6.1, covering Preparation, Detection, Analysis, Containment, Recovery, and User Response with actionable technical tasks, low-cost tool suggestions, and real-world examples.
Understanding IR.L2-3.6.1 and objectives
IR.L2-3.6.1 requires an organization handling Controlled Unclassified Information (CUI) to establish and operate an incident response capability that covers the full incident lifecycle: prepare, detect, analyze, contain, recover, and communicate to affected users. For Compliance Framework implementations (NIST 800-171 / CMMC 2.0 Level 2) this means documenting the incident response plan in your System Security Plan (SSP), maintaining playbooks and evidence for assessors, and ensuring that the organization can demonstrate repeatable technical and procedural actions against incidents involving CUI.
Step-by-step implementation overview
Implement this control by building six repeatable pillars: (1) prepare people, processes and assets; (2) deploy detection telemetry and tuning; (3) establish analysis and triage workflows; (4) codify containment actions and controls; (5) design recovery and verification procedures; and (6) plan user-facing communication and legal/regulatory notifications. Use the SSP and a POA&M to track gaps, and integrate incident response (IR) evidence collection into your continuous monitoring program.
Preparation (Policies, inventory, tooling, playbooks)
Practical steps: designate an IR lead and alternates; create an evidence-backed IR policy; build an asset inventory mapping CUI locations (servers, file shares, SaaS tenants); and choose core tooling: low-cost EDR (e.g., CrowdStrike/Falcon, SentinelOne, or a managed EDR service), centralized logging (CloudTrail/CloudWatch, Azure Monitor, or ELK/Splunk/Datadog), and a ticketing system (Jira/ServiceNow/ManageEngine). Create playbooks for common incidents (phishing, ransomware, data exfiltration) with decision trees and checklists ā include contact lists, legal counsel contact, and step-by-step āfirst 30 minutesā actions. For Compliance Framework evidence: record training logs, table-top exercise minutes, and a populated SSP referencing the IR playbooks.
Detection (Telemetry, rules, thresholds)
Detection must be measurable. Configure the following telemetry: Windows Security and Sysmon logs, Linux auditd, web-proxy logs, firewall logs, EDR telemetry (process creation, network connections), and cloud audit logs (AWS CloudTrail, Azure Activity Log). Implement a SIEM or log aggregator and at minimum create detection rules for suspicious activities like multiple failed logins then a successful one, unusual PowerShell/WMIC execution, large outbound transfers, and new admin account creation. Example Splunk query for suspicious PowerShell: index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational" "EncodedCommand" OR "Invoke-Expression" | stats count by host, user. Set alert thresholds and target MTTD (mean time to detect) goalsāstart with <24 hours for a small shop and tighten as capability matures.
Analysis (Triage, enrichment, forensics)
When an alert fires, follow a documented triage workflow: validate the alert (false-positive check), enrich with contextual data (asset owner, business function, CUI presence), and escalate severity based on impact. Capture forensic artifacts: memory dumps (using LiME or DumpIt), disk images (FTK Imager), relevant log slices, and network captures (pcap). Ensure all evidence is time-synced (NTP), hashed (SHA256), and chain-of-custody logged. For a small business without in-house DFIR, plan a retainer or runbook with a managed IR provider to perform deep analysis; document the provider contract in the SSP and include their playbook in the POA&M.
Containment (Immediate technical controls)
Containment actions should be pre-approved in playbooks and reversible where possible. Typical steps: isolate affected endpoints by quaratining through EDR (EDR API call or console action), block malicious IPs/domains at the firewall (example: iptables -A INPUT -s 198.51.100.0/24 -j DROP or update Palo Alto policy), disable compromised accounts in Active Directory (dsmod user "CN=joe,OU=Users,DC=example,DC=com" -disabled yes), and segment affected VLANs to stop lateral movement. Preserve evidence before destructive actions; e.g., snapshot a VM before re-imaging. Record timestamped screenshots of consoles and maintain a log of containment commands run and who authorized themāthis is key evidence for an assessor.
Recovery and User Response (Restoration, communication, lessons learned)
Recovery: verify backups are recent, intact, and isolated. Restore systems from clean images or backups after ensuring the root cause is removed (apply patches, revoke credentials, rotate keys). Perform post-recovery validation: vulnerability scan, integrity checks, and monitoring for recurrence. For user response: prepare templates for internal notifications and customer/regulator notifications including what happened, what CUI (if any) was impacted, remediation steps taken, and recommended user actions (password resets, account monitoring). Example: a concise notification to customers and DoD contracting officer should include incident timeline, CUI types potentially exposed, mitigations, and planned follow-up. Track and log all notifications for compliance evidence.
Compliance tips, best practices and risks of non-implementation
Best practices: integrate IR artifacts into the SSP and control evidence folders (alerts, playbooks, exercise reports); maintain a POA&M with milestones for unresolved items; run quarterly table-top exercises and at least one full technical test per year (restore from backup, simulate containment). Low-cost approaches for small businesses: use cloud-native logging (AWS CloudTrail + GuardDuty), a bundled EDR service, and an MSSP for 24/7 monitoring. Risks of not implementing IR.L2-3.6.1 include loss of DoD contracts, DFARS non-compliance, unauthorized disclosure of CUI, business interruption, and reputational damage. Demonstrable IR capability reduces time-to-contain and recovery costs and is frequently validated in CMMC assessmentsālack of evidence will fail an assessment even if controls are somewhat effective in practice.
In summary, meeting IR.L2-3.6.1 is achievable for small businesses by documenting policies, instrumenting detection telemetry, codifying triage and containment playbooks, preserving forensics, practicing recovery, and maintaining clear user/contractor communications; track everything in your SSP and POA&M, leverage cloud-native and managed services where needed, and run regular exercises so the documented processes work in real incidents.
