The Cybersecurity Maturity Model Certification (CMMC) enforcement is now in effect, and for many Department of Defense contractors this is the first time their security practices will be reviewed against a formal federal standard. Incident response tends to be one of the areas that feels intimidating because it blends policy writing, technical readiness, documentation, and coordination across teams. 

It is also one of the domains most closely scrutinized during a C3PAO assessment because it directly reflects your ability to protect CUI in real-world situations. Much of the evaluation takes place in interviews, where assessors ask personnel to explain how they would recognize an incident, report it, and carry out their assigned responsibilities. 

The good news is that you do not need specialized tooling or advanced forensics capabilities to meet CMMC incident response requirements. Assessors want to see that your process is effective, consistently followed, appropriate for the size and structure of your organization, and that your personnel know what to do when something looks suspicious. .

This guide walks you through everything in clear terms. You’ll learn exactly what CMMC requires at each level, what kinds of cybersecurity incidents must be reported, how DFARS 252.204 7012 fits into the picture, and how to write a complete incident response plan aligned with NIST SP 800-171. You’ll also get a template you can adapt immediately for your organization.

What are the CMMC incident response requirements?

Incident response is one of the most important domains in CMMC 2.0 because it shows how well your organization can detect, contain, and recover from security events that impact Controlled Unclassified Information (CUI). CMMC divides requirements across three maturity levels, and each level builds on the one before it.

Let’s break down what you must do at Levels 2 and 3 and what assessors typically look for.

CMMC Level 2: Full NIST SP 800-171 aligned incident response capability

If you handle CUI, Level 2 applies, and this is where incident response becomes a fully defined practice rather than a simple reporting process. At this level, you must implement all incident response controls from NIST SP 800-171, which together create a complete capability for identifying, analyzing, containing, and recovering from cyber incidents. C3PAOs assess these controls using the NIST SP 800-171A Assessment Guide, which requires evidence of planning, execution, documentation, and regular testing.

NIST SP 800-171 and the supporting NIST SP 800-61 guidance structure incident response around four major phases: preparation, detection and analysis, containment and eradication and recovery, and post-incident activity. Your policies, procedures, and workflows should reflect these stages clearly so an assessor can see how your entire process fits together.

The core CMMC 2.0 controls for incident response include:

• IR.L2-3.6.1 – Incident Handling: Create a documented plan, define roles, and prepare the tools and procedures you will use during an incident.
• IR.L2-3.6.2 – Incident Reporting: Use monitoring, logging, and clear employee reporting channels.
• IR.L2-3.6.3 – Incident Response Testing: Test your incident response capabilities to verify they’re effective for identifying potential weaknesses or deficiencies. This can include checklists, walk-through or tabletop exercises, simulations, and comprehensive exercises. 

To comply with Level 2 requirements, you must have:

• A documented incident response plan that describes roles, responsibilities, reporting paths, communication expectations, containment procedures, and recovery steps.
• A consistent method for tracking, analyzing, and documenting incidents from start to finish, including timelines, decisions, and outcomes.
• A process for testing and improving your incident response plan, such as annual tabletop exercises or similar reviews.

During the assessment, the C3PAO will review your written plan, incident logs, test results, and interviews with personnel. They want to see a process that is clear, repeatable, and actively used. A plan that looks good on paper but does not reflect how your team actually works will not satisfy Level 2 requirements. When everything aligns, you demonstrate that you can identify and respond to threats quickly and safeguard CUI effectively.

What types of incidents must be reported under CMMC?

A reportable incident is any event that affects the confidentiality, integrity, or availability of CUI or Federal Contract Information (FCI). The DoD expects contractors to treat even small anomalies seriously.

Common examples include cyber attacks that target your systems or sensitive information, such as:

• Phishing attempts
• Unauthorized login attempts or logins from unusual locations
• Malware infections
• Suspicious file transfers
• Ransomware
• Compromised accounts or credentials
• Data breaches
• Denial of service attacks

If the incident involves CUI and triggers DFARS 252.204-7012, contractors must report it within 72 hours using the DoD’s updated cyber incident reporting process through the DC3/DCISE portal or by emailing dc3.dcise@us.af.mil if a Medium Assurance Certificate is not available. The updated portal generates an .xml incident report file that must be submitted through secure DoD-approved channels such as encrypted email or SAFE.

You must also preserve any relevant logs and evidence such as authentication logs, EDR data, system alerts, and relevant network logs for at least 90 days in case the DoD or CISA requests additional analysis.

Who’s responsible for incident response in a CMMC environment?

Many contractors struggle with this question because their teams are small and people already wear multiple hats. CMMC does not require a large security operations structure; it requires clarity. Your assessor will expect you to know exactly who does what during an incident, and they will verify it during personnel interviews.

Here is what that usually looks like in practice:

Incident response lead

This is the person who coordinates everything during an incident. They receive reports, confirm whether something is truly an incident, decide on severity, notify leadership, and keep the process moving. In small organizations, this is often the IT manager, security manager, or even a knowledgeable operations leader. What matters most is that this person understands both your information systems and your incident response plan.

IT or Security administrator

This person handles the technical side. They investigate alerts, isolate affected systems, disable compromised accounts, pull logs, preserve evidence, and restore systems once the issue is resolved. If you work with an MSP or MSSP, they can fill this role as long as your plan documents the relationship clearly.

Executive sponsor

This is usually a senior leader such as the CEO, COO, CISO, or head of compliance. They do not handle the technical response, but they approve major decisions and authorize external notifications. They are responsible for submitting DoD reports when required by DFARS 252.204 7012, so assessors will expect them to understand that duty.

Communications or HR support

Depending on the size of your team, another leader may be responsible for communicating with employees, customers, or partners during an incident. This should be documented to avoid confusion once the response begins.

All employees

Under CMMC, every employee has one core responsibility. If they see something unusual, they must report it immediately. Your assessor will interview a representative sample of personnel, and at least one of them will be asked how they would report a security issue. This means awareness training is essential even if you have no dedicated security staff.

Small team or solo IT environment

Many defense contractors have a single IT admin or generalist leading all of these activities. This is perfectly acceptable. CMMC does not require multiple people. It requires documented roles, defined responsibilities, and evidence that your actual practice matches your written plan. If one person fills multiple roles, simply say so.

By being clear and realistic about who does what, you show assessors that your organization can respond to incidents without confusion, wasted time, or gaps in responsibility.

How to write a CMMC incident response plan + template

A strong incident response plan is one of the most important documents in your assessment. The goal is to create a document that someone can follow during a stressful moment without confusion or delay. Your plan also needs to reflect your actual environment, not an idealized one. If the plan says you perform 24/7 monitoring but you only check alerts during business hours, your assessor will notice.

The steps below will help you create a plan that meets CMMC requirements and actually works for your team.

1. Define what qualifies as a security incident in your environment

Start by describing what qualifies as an incident that impacts your CUI environment. This helps employees know what to look for and reduces hesitation about reporting something that might be important.

Your definition should cover events like unauthorized access attempts, suspicious authentication activity, malware infections, data exfiltration alerts, or any event that puts CUI at risk. You can include examples so employees have practical clarity.

2. Assign clear roles and responsibilities

Your plan should name the people or roles involved and explain what each one does during an incident. This is one of the first things an assessor looks for. They want to know who leads the response, who communicates with leadership, who talks to the DoD if necessary, and who documents the incident.

If your team is small, it is fine for one person to hold multiple responsibilities as long as your plan reflects reality.

3. Create a step by step incident response workflow

Your workflow should be simple, repeatable, and aligned with the four major phases in NIST SP 800-171: preparation, detection, analysis, containment, and recovery.

A clear workflow usually includes:

• How the incident is reported
• How the incident is evaluated and assigned a severity level
• How you contain damage, execute containment and eradication steps, and preserve evidence
• How the incident is documented from beginning to end
• How lessons learned are incorporated into future improvements to mitigate vulnerabilities

Make this section easy to follow so your staff can use it even when they are under pressure.

4. Document communication expectations

Your plan must explain how you communicate during an incident. This includes internal communication, leadership notifications, and external notifications. You should describe when you will notify the DoD in accordance with DFARS 252.204 7012, who communicates with customers or partners if needed, and how communication channels are secured during an active incident.