Incident Handling
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
What an assessor scores, the objectives
IR.L2-3.6.1 is met only when every one of these 7 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.an operational incident-handling capability is established
- b.the operational incident-handling capability includes preparation
- c.the operational incident-handling capability includes detection
- d.the operational incident-handling capability includes analysis
- e.the operational incident-handling capability includes containment
- f.the operational incident-handling capability includes recovery
- g.the operational incident-handling capability includes user response activities
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For IR.L2-3.6.1, an assessor uses these:
Incident response policy; contingency planning policy; procedures addressing incident handling; procedures addressing incident response assistance; incident response plan; contingency plan; system security plan; procedures addressing incident response training; incident response training curriculum; incident response training materials; incident response training records; other relevant documents or records
Personnel with incident handling responsibilities; personnel with contingency planning responsibilities; personnel with incident response training and operational responsibilities; personnel with incident response assistance and support responsibilities; personnel with access to incident response support and assistance capability; personnel with information security responsibilities
Incident-handling capability for the organization; organizational processes for incident response assistance; mechanisms supporting or implementing incident response assistance
What it means, in context
Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive. As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external an d internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required. NIST SP 800-61 provides guidance on incident handling. SP 800-86 and SP 800-101 provide guidance on integrating forensic techniques into incident response. SP 800 -161 provides guidance on supply chain risk management.
Incident handling capabilities prepare your organization to respond to incidents and may: • identify people inside and outside your organization you may need to contact during an incident; • establish a way to report incidents, such as an email address or a phone number; • establish a system for tracking incidents; and • determine a place and a way to store evidence of an incident. Software and hardware may be required to analyze incidents when they occur. Incident prevention activities are also part of an incident- handling capability. The incident-handling team provides input for such things as risk assessments and training. OSAs detect incidents using different indicators. Indicators may include: • alerts from sensors or antivirus software; • a filename that looks unusual; and • log entries that raise concern. After detecting an incident, an incident response team performs analysis. This requires some knowledge of normal network operations. The incident should be documented including all the log entries associated with the incident. Containment of the incident is a critical step to stop the damage the incident is causing to your network. Containment activities should be based on previously defined organizational priorities and assessment of risk. Recovery activities restore systems to pre-incident functionality and address its underlying causes. Organizations should use recovery activities as a means of improving their overall resilience to future attacks. Example Your manager asks you to set up your company’s incident-response capability [a]. First, you create an email address to collect information on possible incidents. Next, you draft a contact list of all the people who need to know when an incident occurs. You document a procedure for how to submit incidents that includes roles and responsibilities when a potential incident is detected or reported. The procedure also explains how to track incidents, from initial creation to closure [b]. Potential Assessment Considerations • Is there an incident response policy which specifically outlines requirements for handling of incidents involving CUI [a]?
What passing evidence looks like
The incident response plan covering the full lifecycle (prepare, detect, analyze, contain, recover, user response activity) plus proof the capability is real: named roles, contact tree, and at least one incident record or exercise showing it operates.
Common ways contractors fail IR.L2-3.6.1
- !Seven objectives spanning the lifecycle. Your plan document must literally walk preparation, detection, analysis, containment, recovery, and user reporting, use those words as section headers so the assessor can map objectives to pages.
- !An operational capability needs people: name the incident lead and backup. A plan with no names is a template, not a capability.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove IR.L2-3.6.1, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
IR.L2-3.6.1 questions, answered
How many points is CMMC requirement IR.L2-3.6.1 worth?+
IR.L2-3.6.1 is worth 5 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 5 from your total of 110.
Can IR.L2-3.6.1 be placed on a POA&M?+
No. IR.L2-3.6.1 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.
What family does IR.L2-3.6.1 belong to?+
IR.L2-3.6.1 is in the Incident Response (IR) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.6.1