Incident Response (IR): Detecting, Responding, & Mitigating Cyber Threats

See below all the 3 controls

← or go back to the NIST SP 800-171 R2 Guide

Got questions? Contact our team today for a free CMMC Consultation

3.6.1

Establish and maintain an operational incident-handling capability that includes preparation, detection, analysis, containment, recovery, and user response activities. Include documented processes and assigned personnel for effective response.

More details

+
NIST 800-171 Control Identifier: 3.6.1
CMMC Control Identifier: IR.L2-3.6.1
Control CMMC Level: 2
Basic or Derived Security: Basic

Relevant NIST SP 800-53 R5

IR-2: Incident response training to personnel responsible for incident handling

IR-4: Implement incident handling process to respond to security incidents

IR-5: Track, document, and report security incidents

IR-6: Report security incidents to internal and external stakeholders as required

IR-7: Provide specialized incident response support when needed

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI) and Microsoft Sentinel

(includes Microsoft Defender XDR for detection, Sentinel for SIEM/log correlation, and incident case management)

3.6.2

Track, document, and report cybersecurity incidents to internal security officials and designated external authorities in accordance with policy or contractual obligations. This includes maintaining incident records, timelines, resolution status, and audit trails.

More details

+
NIST 800-171 Control Identifier: 3.6.2
CMMC Control Identifier: IR.L2-3.6.2
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

IR-2: Incident response training to personnel responsible for incident handling

IR-4: Implement incident handing process to respond to security incidents

IR-5: Track, document, and report security incidents

IR-6: Report security incidents to internal and external stakeholders are required

IR-7: Provide specialized incident response support when needed

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI)

  • Microsoft Sentinel for SIEM and log correlation

(Includes integration with Microsoft 365 Defender for alert management, incident timelines, automated incident response, and exportable reporting.)

3.6.3

Periodically test the organizational incident response capability through exercises, simulations, or tabletop scenarios to evaluate preparedness, identify gaps, and ensure timely and effective responses.

More details

+
NIST 800-171 Control Identifier: 3.6.3
CMMC Control Identifier: IR.L2-3.6.3
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

IR-3: Test incident response capabilities to ensure effectiveness & readiness

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI)

  • Microsoft Sentinel for SIEM/log correlation

(Enables simulation of security incidents, automated attack simulation tools, and audit reporting for IR testing exercises.)

Microsoft Cloud for CMMC Compliance

Contact our team today

See how Agile IT's MSP for CMMC can strengthen your data security and allow your team to focus on your business's objectives and success.

Schedule a FREE
consultation