It is 11 PM. Your network monitoring tool flags unusual outbound traffic from a workstation that handles Controlled Unclassified Information. By the time your team confirms it is a breach, the clock is already running. Under DFARS 252.204-7012, you have 72 hours from the moment of discovery to report the incident to the DoD, whether or not your investigation is complete.
For defense contractors, that scenario is not hypothetical. The Defense Industrial Base is one of the most persistently targeted sectors in the country, and the consequences of a mishandled incident reach well beyond the technical cleanup. An incident response plan for defense contractors is a regulatory requirement embedded directly in CMMC, DFARS, and NIST 800-171, and a missing or underprepared plan is a frequent finding in CMMC Level 2 assessments.
This guide walks through what the requirements actually demand, what a compliant plan looks like, and how to build one that survives assessor scrutiny.
Why Defense Contractors Need a Formal Incident Response Plan
Many contractors have some version of an incident response plan on file. Far fewer have one that meets the specific, evidence-based requirements of the CMMC assessment process. Understanding the regulatory baseline is the starting point.
The Regulatory Mandate
Three overlapping frameworks create the requirement:
- NIST SP 800-171, Section 3.6 (Incident Response). Controls 3.6.1 through 3.6.3 require contractors to establish an operational incident-handling capability, track and document incidents, and test the response capability. These are not aspirational. They are assessed controls.
- CMMC Level 2, Incident Response domain. Three practices map one to one with the NIST 3.6 controls: IR.L2-3.6.1 (establish an operational incident-handling capability), IR.L2-3.6.2 (track, document, and report incidents), and IR.L2-3.6.3 (test the response capability). Each requires objective evidence. Older CMMC 1.0 practice numbers such as IR.2.092 no longer apply; current assessments use the NIST-aligned numbering above.
- DFARS 252.204-7012, paragraph (c). When a cyber incident affects a covered contractor information system, you must report it to the DoD within 72 hours of discovery. This obligation applies to any contractor handling CUI under a covered contract, regardless of CMMC certification status.
The Operational Reality
DIB contractors are high-value targets precisely because of what they handle. Adversaries seeking CUI such as technical drawings, manufacturing processes, and research data do not limit their activity to prime contractors. Subcontractors at every tier are targeted.
The DFARS reporting trigger is discovery, not confirmed exfiltration. If you discover a compromise affecting a covered system, the 72-hour clock starts immediately. Organizations that lack a documented response process routinely miss this window, with significant contractual and legal consequences.
Understanding exactly which systems and data fall under these requirements starts with a clear CUI inventory. See our What Is CUI? A Defense Contractor’s Guide for a detailed breakdown of identification and scoping requirements.
The 6 Core Components of a CMMC-Compliant Incident Response Plan
CMMC assessors are not evaluating whether you have a document. They are evaluating whether your organization can execute a response. A compliant incident response plan for defense contractors consists of six operationalized components, each tied to specific assessment evidence requirements.
1. Incident Response Policy and Scope
The plan must begin with a clear policy statement that defines what constitutes a cyber incident under DoD standards, identifies the covered systems in scope (aligned to your System Security Plan boundary), and establishes the legal and contractual authorities that govern the response. Scope must match your System Security Plan (SSP) exactly. Misalignment between these documents is a common assessor finding.
2. Roles and Responsibilities
Every incident response plan must name an Incident Response Team (IRT) with clearly defined roles, backup personnel for each position, and explicit authority assignments. This section must answer two questions: Who decides when to invoke the plan, and who is responsible for notifying the Contracting Officer and submitting the incident report?
Assessors will interview your IRT members. If the person named as IR Lead cannot describe their responsibilities without consulting the document, that is a finding.
3. Incident Identification and Classification
Not every security event is a reportable cyber incident. Your plan must define severity tiers aligned to DoD definitions, specify the indicators of compromise your team monitors, and establish clear escalation thresholds. This section should also describe your logging and alerting infrastructure, since assessors will want to understand how your organization would actually detect an incident in the first place.
4. Containment, Eradication, and Recovery Procedures
This is the operational core of the plan. You need scenario-specific playbooks, at minimum covering ransomware, credential compromise, and data exfiltration, with step-by-step procedures for isolating affected systems, preserving forensic evidence, eradicating the threat, and restoring operations. Procedures must account for CUI environments specifically: how are affected CUI systems isolated, and how is the integrity of the remaining CUI systems verified?
5. DFARS Cyber Incident Reporting Procedures
This section requires particular precision. DFARS 252.204-7012(c) requires you to report a cyber incident to the DoD within 72 hours of discovery. For years this was filed through the DIBNet portal at dibnet.dod.mil. That portal was retired in mid-2025, and reporting now runs through the DoD Cyber Crime Center (DC3) and its DCISE program, with the old DIBNet address redirecting there.
Two practical points belong in your plan. First, name the current submission channel and verify it periodically, because this process has changed and will change again. Second, account for the access step. Reporting requires DoD credentials that must be established in advance, historically a DoD-approved medium assurance certificate from an External Certificate Authority, which takes time to obtain because a third party must verify your identity. Contractors that wait until an incident to sort out portal access routinely miss the 72-hour window. Set up access before you need it.
The report includes, among the required elements:
- Contract numbers associated with the affected systems
- Facility CAGE code
- Date the incident was discovered
- Location and type of compromised data
- Description of the technique or method used
- Safeguards in place at the time of the incident
- Points of contact
Separately, DFARS requires contractors to preserve and protect images of compromised systems and relevant monitoring data for 90 days from the date the incident report is submitted, to support potential DoD forensic investigation. This media preservation requirement is frequently overlooked and is a separate compliance obligation distinct from the reporting requirement itself.
For a deeper review of the full DFARS 252.204-7012 requirement set, see our DFARS 252.204-7012 compliance guide.
6. Post-Incident Review and Lessons Learned
The incident-handling capability required by IR.L2-3.6.1 includes a post-incident activity phase, and documented lessons learned are strong evidence for both that capability and the testing practice (IR.L2-3.6.3). Your plan must specify an after-action report format and a defined process for feeding findings back into your SSP, Plan of Action and Milestones (POA&M), and future training. This closes the compliance loop and demonstrates that your IR program is a continuous improvement process, not a one-time documentation exercise.
How to Build Your Incident Response Plan: A Step-by-Step Approach
For contractors starting from scratch or significantly revising an existing plan, the following sequence produces an assessor-ready document while keeping the process manageable.
Step 1: Define Your CUI Asset Boundary First
Your IRP can only be scoped correctly if you know exactly which systems, data flows, and personnel are in scope for CUI handling. Before drafting a single procedure, complete or update your CUI scoping exercise. This work feeds directly into your SSP system boundary, and your IRP scope must match it.
Step 2: Map Your IRP to NIST 800-171 3.6.x Controls
Every section of your plan should be traceable to a specific control. Use a simple cross-reference table that maps plan sections to NIST 800-171 control numbers and their corresponding CMMC practices. This table becomes evidence during your assessment and demonstrates that the plan was designed for compliance, not assembled generically.
Review the full CMMC Level 2 requirements to ensure your IRP addresses each IR domain practice individually.
Step 3: Develop Scenario-Specific Playbooks
A plan that describes incident response in general terms will not satisfy an assessor asking how your team would respond to a ransomware event at 2 AM on a Saturday. Build playbooks for at least three scenarios: ransomware and destructive malware, phishing-initiated credential compromise, and CUI data exfiltration. Each playbook should be a self-contained reference that a trained IRT member can execute without consulting the full plan document.
Step 4: Conduct an Annual Tabletop Exercise
IR.L2-3.6.3 requires testing your incident response capability. A tabletop exercise, where key stakeholders walk through a simulated incident scenario in a structured discussion, satisfies this requirement and generates the documentation assessors will ask for. Run at least one tabletop annually, document it with an exercise summary and attendance records, and capture identified gaps for remediation.
Step 5: Update After Every Incident and Major Infrastructure Change
An IRP that was accurate 18 months ago and has not been touched since is a liability. Assign a review owner, establish a formal annual review cycle, and require updates after any significant network or system change, any personnel change in the IRT, or any actual incident. Version control your plan and retain prior versions.
All of this work feeds directly into your broader CMMC audit preparation process. An IRP that is consistently maintained generates far less remediation work in the months before an assessment.
Common Incident Response Failures That Surface in CMMC Assessments
Based on what CMMC assessors consistently flag, the following deficiencies appear most frequently in organizations that believed their IRP was compliant:
- The plan exists but personnel have not read it. IRT members cannot articulate their roles or the reporting timeline. This fails the interview component of the assessment.
- Roles are assigned to former employees. Personnel changes are common; plan maintenance often is not. An IRT roster with departed staff is an immediate finding.
- No documented tabletop exercise. Without dated records of an IR exercise, including agenda, participants, scenarios, and findings, assessors cannot verify that the plan has been tested.
- Reporting procedures reference outdated processes. This is a live example: the DIBNet portal was retired in 2025 and reporting moved to DC3 and DCISE. Plans written a few years ago point at a portal that no longer works.
- IRP scope does not match the SSP system boundary. If your SSP defines a boundary that includes cloud systems or remote access infrastructure your IRP does not address, both documents have a deficiency.
- No media preservation policy. The 90-day system image preservation requirement under DFARS is a standalone obligation that many IR plans omit entirely.
- Incident response treated as an IT function only. Effective IR for defense contractors is simultaneously a technical, legal, and contractual function. Plans that lack legal notification procedures and Contracting Officer communication protocols are incomplete.
What a CMMC Assessor Will Look For in Your IRP
CMMC Level 2 assessors use three evidence methods: examine, interview, and test. Your IRP must satisfy all three.
Examine. The assessor will review your documented IRP, supporting playbooks, exercise records, after-action reports, and any incident logs. Documentation must be current, version-controlled, and internally consistent with your SSP.
Interview. Assessors will speak with members of your IRT, asking them to explain the reporting timeline, their role in a specific scenario, and how they would escalate an event. A well-written plan does not compensate for personnel who cannot speak to it from operational familiarity.
Test. For the IR domain, the test method is typically satisfied through tabletop exercise documentation. Assessors want to see that the plan has been exercised against realistic scenarios and that findings from those exercises have been incorporated.
The standard assessors apply is not perfection. It is operational credibility. An organization that can demonstrate a practiced, documented, and regularly reviewed incident response capability will satisfy the IR domain even if individual procedures need refinement. An organization that presents a polished document with no operational evidence behind it will not.
Build a Response Program, Not Just a Document
An effective incident response plan for defense contractors is not a compliance artifact that lives in a shared drive. It is a living program, scoped to your actual CUI environment, staffed with trained personnel, tested through regular exercises, and updated to reflect the threats your organization faces.
Meeting the CMMC incident response requirements and the DFARS 72-hour reporting obligation requires that investment. A well-structured IRP, built once and maintained consistently, remains the foundation of your compliance posture through CMMC assessments, contract renewals, and evolving DoD requirements.
The consequences of an underprepared response, including missed reporting windows, assessor findings, and potential contract liability, significantly outweigh the cost of building the program correctly from the start.
Download Nexeris’s free Incident Response Plan Template, built to the CMMC Level 2 IR domain and DFARS 252.204-7012 requirements, with scenario-specific playbook sections and a current DoD reporting checklist. Get the free template here.
Or, if you would prefer a direct review of your existing IRP and IR program by our CMMC consultants, schedule a CMMC readiness consultation to identify gaps before your assessor does.
