Incident Response Plan Template (CMMC/NIST)

Who Needs This Guide?

This isn't a generic cybersecurity article. This is a practical compliance guide for businesses in the defense industrial base (DIB) who need to act now:

Why Every Federal Contractor Needs an Incident Response Plan

An incident response plan (IRP) isn't optional — it's a federal requirement. Under NIST 800-171 (Control Family 3.6 — Incident Response), organizations handling Controlled Unclassified Information (CUI) must maintain documented incident response capabilities. CMMC Level 2 maps directly to these controls.

Here's what's at stake without one:

• ❌ Contract disqualification — You literally cannot win DoD contracts without documented IR procedures
• ❌ DFARS non-compliance — Violation of DFARS 252.204-7012 can trigger False Claims Act liability
• ❌ Supply chain rejection — Primes are dropping non-compliant subs to protect their own contracts
• ❌ 72-hour reporting failure — DFARS requires reporting cyber incidents to DoD within 72 hours. Without an IRP, you'll miss this window
• ❌ Financial devastation — The average cost of a data breach for small businesses is $4.88M (IBM, 2024)

The 6 Phases of a NIST-Aligned Incident Response Plan

Your IRP must align with NIST SP 800-61 (Computer Security Incident Handling Guide) and satisfy NIST 800-171 controls 3.6.1 through 3.6.3. Here's how to build one that passes audit:

Phase 1: Preparation — Build Your Response Capability

This is where 90% of businesses fail. Preparation isn't just about having a document — it's about having the capability to respond.

Establish Your Incident Response Team:

• • Incident Commander: Overall response coordination and decision authority
• • IT/Security Lead: Technical containment, forensics, and recovery
• • Communications Lead: Internal notifications, customer communications, media
• • Legal Counsel: Regulatory obligations, DFARS reporting, liability assessment
• • Executive Sponsor: Budget authority and strategic decisions
• • Compliance Officer: Ensures response actions satisfy NIST/CMMC/DFARS requirements

Essential Preparation Activities:

• • Document procedures for each incident type (malware, ransomware, data breach, insider threat, phishing)
• • Maintain current network diagrams and CUI data flow maps
• • Establish communication trees with backup contacts
• • Pre-negotiate contracts with forensic and legal vendors
• • Train all employees on incident recognition and reporting
• • Maintain offline copies of critical documentation

Phase 2: Detection & Analysis — Know When You're Under Attack

NIST 800-171 Control 3.14 (System and Information Integrity) requires continuous monitoring. You can't respond to what you can't detect.

• • SIEM deployment — Centralized log collection and correlation
• • EDR on all endpoints — Real-time threat detection on workstations and servers
• • Network monitoring — IDS/IPS for network-level threat detection
• • Employee reporting channel — Easy way for staff to report suspicious activity
• • Automated alerting — Immediate notification for critical security events

Incident Classification Matrix:

Phase 3: Containment — Stop the Bleeding

Speed is everything. The difference between a contained incident and a catastrophic breach is often measured in minutes.

Immediate Containment (First 60 Minutes):

• • Isolate affected systems from the network (don't power off — preserve evidence)
• • Disable compromised user accounts
• • Block malicious IPs at the firewall
• • Capture volatile memory and system state for forensics
• • Activate your communication tree

Long-Term Containment:

• • Apply temporary patches or configuration changes
• • Deploy additional monitoring on affected network segments
• • Implement emergency access controls
• • Begin stakeholder communications

Phase 4: Eradication — Remove the Threat Completely

• • Identify and eliminate root cause (compromised credentials, unpatched vulnerability, etc.)
• • Remove all malware, backdoors, and persistence mechanisms
• • Patch exploited vulnerabilities across all systems
• • Reset all potentially compromised credentials
• • Verify clean state with endpoint and network scans

Phase 5: Recovery — Restore Operations Safely

• • Restore systems from known-clean backups
• • Implement enhanced monitoring on recovered systems
• • Gradually restore network connectivity
• • Validate system integrity before returning to production
• • Document all recovery actions for audit trail

Phase 6: Lessons Learned — Close the Loop

NIST 800-171 Control 3.6.2 requires you to track, document, and report incidents. This phase satisfies that control and makes your next response faster.

• • Conduct post-incident review within 2 weeks
• • Update your IRP based on what worked and what didn't
• • Document timeline, actions taken, and outcomes
• • Brief leadership and update your POA&M if gaps were discovered
• • Conduct additional training if human error was a factor

For Prime Contractors: Your Supply Chain Is Your Liability

Under CMMC 2.0, prime contractors are responsible for ensuring their subcontractors meet the required security level. If you're a Tier 1 prime working with dozens of subs, here's the reality:

• ⚠️ Flow-down requirements — DFARS clauses flow down to every sub handling CUI
• ⚠️ SPRS score visibility — The DoD can now see your subs' self-assessment scores
• ⚠️ Audit liability — A sub's breach can trigger an investigation of your entire supply chain
• ⚠️ Contract risk — Non-compliant subs can cause you to lose the prime contract

Compliance in Weeks, Not Months: How We Do It

Most compliance consultants take 6–12 months because they treat every engagement the same. We don't. Our accelerated methodology is built for businesses that need results now:

Testing Your Incident Response Plan

A plan that hasn't been tested is just a document. NIST 800-171 Control 3.6.3 requires organizations to test their incident response capability. Here's how:

Tabletop Exercises (Quarterly)

Walk through realistic scenarios with your response team. No systems involved — purely discussion-based. Example scenario: "It's Friday at 4:45 PM. Your EDR alerts on ransomware encryption starting on the file server that contains CUI. What do you do?"

Simulation Tests (Semi-Annual)

Controlled tests with simulated incidents. Phishing simulations, mock breach notifications, and timed response exercises.

Full-Scale Tests (Annual)

Complete response activation with real system isolation, forensic evidence collection, and stakeholder notifications (clearly marked as exercises).

NIST 800-171 Incident Response Controls Checklist

Your IRP must address these specific NIST 800-171 controls to pass a CMMC Level 2 assessment:

• ☑️ 3.6.1 — Establish an operational incident-handling capability including preparation, detection, analysis, containment, recovery, and user response activities
• ☑️ 3.6.2 — Track, document, and report incidents to designated officials and/or authorities
• ☑️ 3.6.3 — Test the organizational incident response capability

Related controls your IRP should reference:

• • 3.12.1–3.12.4 — Security Assessment (periodic assessments, POA&M, monitoring)
• • 3.14.1–3.14.7 — System and Information Integrity (monitoring, malware protection, alerts)
• • 3.4.1–3.4.9 — Configuration Management (baseline configs, change control)

For the complete checklist: NIST 800-171 Compliance Checklist for Small Business →

Related Compliance Resources

More resources: Protect Your Business from Cyberattacks · Essential Cybersecurity Practices · Ransomware Protection Strategies