CMMC Practice IR.L2-3.6.3

Test the organizational incident response capability.

Bold Coast Security Guidance

Tabletop exercises are the most common way to test your Incident Response Plan. Be sure to document your testing scenario, who was present, and any lessons learned for Plan improvement. Test can also provide needed training for your team members who are not normally concerned with technology, such as public relations and human resources. Testing should occur at least annually. To preserve peoples time and company resources, a "live" incident can often be substituted for a drill if there is full team involvement. Keep an eye out for industry led exercises which may be provided via conference calls in which larger scale scenarios and breach response information from government agencies are provided.

Discussion From Source

DRAFT NIST SP 800-171 R2 Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, simulations (both parallel and full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response.