IR.L2-3.6.1 — Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
What this control requires
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
Source: CMMC L2 v2.13 IR.L2-3.6.1 / NIST SP 800-171 R2 3.6.1 (official control text).
Why this matters
Incident response is your organization's plan for when — not if — a security event occurs. Without a structured capability covering preparation, detection, analysis, containment, recovery, and user response, breaches escalate into disasters. This control ensures you have defined processes, trained personnel, communication channels, and technical tools ready before an incident strikes. It protects business continuity, limits damage from compromised systems, preserves forensic evidence for investigation, and ensures users know how to recognize and report suspicious activity. Organizations without operational incident handling lose critical response time, make containment decisions under panic, and often violate regulatory notification requirements.
What evidence assessors expect
Assessors typically look for: PDF, screenshot, training certificate. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on IR.L2-3.6.1.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →