IR.L2-3.6.3 — Test the organizational incident response capability.
What this control requires
Test the organizational incident response capability.
Source: CMMC L2 v2.13 IR.L2-3.6.3 / NIST SP 800-171 R2 3.6.3 (official control text).
Why this matters
Incident response plans fail in real crises if they've never been practiced. Testing reveals gaps in procedures, communication breakdowns, unclear roles, and missing tools before attackers exploit them. Regular exercises ensure responders know their playbooks, technical controls work as expected, and recovery timelines are realistic. Without testing, organizations discover critical flaws during actual breaches—when stakes are highest and improvisation replaces coordination. Effective testing transforms theoretical runbooks into muscle memory, identifies dependencies that documentation missed, and builds confidence that security incidents won't paralyze operations.
What evidence assessors expect
Assessors typically look for: PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on IR.L2-3.6.3.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →