CMMC Practice IR.5.110
Perform unannounced operational exercises to demonstrate technical and procedural responses.
Bold Coast Security Guidance
A live fire drill is the ultimate test of an organization's incident response capabilities. IF you conduct them too often, and the SOC team may become indifferent to incidents, but do them too little and the organization does not have meaningful information about its capabilities.
It can also be useful to incorporate third parties into the testing, both as observers and as red team adversaries. In this case carefully define the rules of engagement and the boundaries for testing.
A set of predefined goals to identify exactly what detection systems are being tested should be developed.
An organization is stronger against a cyber-attack when the incident response capability is proven to be able to handle a live incident. Operational exercises require the use of the
operational environment by the staffed, operational personnel; they are not performed in a test environment. By performing this practice an organization is testing their incident
response capabilities and procedures as outlined in the IR plan. These tests should be built specifically to launch the organization’s IR process. This will involve the cyber defenders
walking through the procedures as well as using their technical solutions. Preparation for an operational exercise might include performing a tabletop exercise to walk through the process. This will help identify shortfalls in the process.