CMMC IR.L2-3.6.1 · 3.6.2 · 3.6.3 · NIST 800-61
Incident response tabletops that pass C3PAO assessment — the methodology, the scenarios, the after-action evidence
A well-run IR tabletop with a structured After-Action Report satisfies three CMMC Level 2 incident response controls in one defensible record. The contractors who fail are the ones whose tabletop was theatre — improvised scenario, narrative AAR, no MITRE overlay, no signoff. This guide explains the methodology assessors expect.
What separates an assessment-ready tabletop from theatre
- Scenario designed against a real threat model — MITRE ATT&CK tagged, not improvised.
- Live capture of decisions and timestamps — not narrative recall reconstructed days later.
- Structured After-Action Report with corrective actions, owners, target dates, and approver signoff.
01 — The controls
Three Level 2 controls a good tabletop satisfies at once
Establish IR capability
Documented IR plan, defined roles and responsibilities, named team members, training program, and exercise cadence. The plan must exist in writing and be reasonably current.
Track, document, report incidents
Incidents and IR activities are tracked, documented, and reported. Every inject decision in a tabletop, every actual incident response, every after-action — timestamped and recorded in a system the assessor can read.
Test the IR capability
Periodic testing of the IR capability — tabletop, walkthrough, or functional exercise. Methodology and rationale captured in the AAR. The exercise itself is the control; the AAR is the evidence.
02 — Scenarios
Six scenarios worth running
Ransomware with CUI staging
Attacker has staged encrypted CUI for exfiltration prior to detonation. Tests detection, containment, payment-policy decision, recovery, and the harder question of whether to notify the contracting officer.
Vendor / MSP compromise
A managed service provider with privileged access is compromised. Tests trust boundary, scope determination, third-party coordination, and the inheritance assumptions in your SSP.
Insider exfiltration via cloud storage
An employee with legitimate access stages CUI to personal cloud storage. Tests detection, evidence preservation, HR/legal coordination, and the DFARS 252.204-7012 reporting clock.
Account compromise to admin
A standard account is compromised and escalated to admin via misconfiguration. Tests detection time-to-alert, credential rotation discipline, and the lateral-movement assumptions in your boundary diagram.
Lost or stolen device with CUI cache
A workstation or laptop with cached CUI is lost. Tests encryption-at-rest assumptions, remote-wipe capability, the inventory accuracy of what was on the device, and the timing of the contracting officer notification.
Supply-chain compromise of a deployed tool
A third-party tool in your stack pushes a malicious update. Tests SBOM completeness, blast-radius determination, the difference between vendor-disclosed and self-discovered, and the coordination model with the vendor.
03 — Methodology
Six-step runbook from scope to evidence bundle
Scope and scenario
Define what part of the IR capability you are testing. Choose a scenario that tests it — not a scenario the team can handle in their sleep. Pre-brief participants on rules of engagement.
Inject design
6 to 8 scripted injects over the exercise window. Each inject is a discrete event (alert, escalation, customer call, exfil notice) that forces a decision. Tag each to MITRE ATT&CK where applicable.
Facilitation
Live facilitator console drives the inject sequence and captures decisions in real time. Side conversations between participants are part of the exercise; the facilitator surfaces them into the record.
Hot wash
Immediately after the exercise, structured debrief: what worked, what surprised you, what gaps were exposed, what would you do differently? Findings are captured live, not reconstructed from memory days later.
After-Action Report
Structured AAR drafted from the decision timeline and hot-wash findings. Corrective actions assigned with owners and target dates. Approver signoff captured in the artifact.
Evidence bundle
AAR plus supporting artifacts (scenario script, decision log, participant roster, MITRE mapping) exported as the offline evidence bundle. This is what the C3PAO assessor opens for IR.L2-3.6.3.
04 — The MacTech kit
A single-tenant platform for the full tabletop lifecycle
AI custom scenario generation
Describe an incident specific to your environment — supply-chain compromise, insider exfiltration, vendor MSP breach. Claude drafts a CMMC-aligned tabletop with 6–8 injects, MITRE tagging, and objective pass criteria. You review and refine before save.
Seeded scenario library
Four production-ready scenarios out of the box (ransomware, account compromise, lost device, insider). Each runs at Management, Mixed, or Technical difficulty — same scenario, audience-appropriate framing.
Live facilitator console
Drive the inject sequence in real time. Capture decisions, side conversations, and findings as they happen — not from memory days later. Single-tenant URL, no shared infrastructure.
C3PAO-ready evidence bundle
Structured AAR, scenario script, decision log, participant roster, MITRE mapping — exported as a single offline bundle sized for the assessor binder. Maps to IR.L2-3.6.1, 3.6.2, and 3.6.3.
06 — Questions
IR tabletops — frequently asked
What is an incident response tabletop exercise?
A tabletop exercise is a discussion-based simulation in which an incident-response team works through a hypothetical security incident — typically 6 to 8 scripted injects over 90 minutes to 4 hours — explaining what they would do, what tools they would use, and who they would contact at each decision point. It is not a live attack simulation; no production systems are touched. The output is a documented record of decisions, gaps, and corrective actions.
Why do CMMC assessors care about tabletop exercises?
Three Level 2 controls hinge on it. IR.L2-3.6.1 requires an established incident-response capability. IR.L2-3.6.2 requires that incidents and IR activities be tracked, documented, and reported. IR.L2-3.6.3 requires periodic testing of the IR capability — and the canonical, lowest-cost form of test for most contractors is a tabletop. A well-run tabletop with a documented after-action report (AAR) satisfies all three controls in a single, defensible record.
How often should we run an IR tabletop?
NIST SP 800-61 Rev 2 recommends at least annually. CMMC L2 does not specify a frequency but assessors expect to see a documented cadence — most contractors run one major tabletop annually plus one or two shorter focused exercises (e.g. a ransomware drill, a vendor-MSP-breach walkthrough). The cadence itself is a control; running zero tabletops in 24 months is a meaningful finding regardless of how good the IR plan looks on paper.
What should the scenario cover?
A scenario worth running tests the parts of your IR capability you most worry about — not the ones easiest to defend. Common high-value scenarios: ransomware with CUI staging, vendor or MSP compromise reaching your CUI enclave, insider exfiltration via cloud storage, lost or stolen device with CUI cache, account compromise into an admin role. The right scenario for your firm depends on your environment, your CUI handling pattern, and the threat model your assessor would scrutinize.
What is an after-action report (AAR) and why does it matter?
The AAR is the formal record of the tabletop — scenario summary, participant roster, decision timeline, identified gaps, corrective actions with owners and target dates, and approver signoff. It is the artifact a C3PAO reads to verify IR.L2-3.6.3 was satisfied. AARs that are narrative recall — "the team handled it well, we found a few things to improve" — are routinely flagged as insufficient. AARs that are structured records with timestamps and signatures survive assessment scrutiny.
How does MITRE ATT&CK fit into a tabletop exercise?
Tagging each attacker inject to a MITRE ATT&CK technique (e.g. T1078 Valid Accounts, T1486 Data Encrypted for Impact) does three things for the assessor: it shows the scenario was designed against a real threat model rather than improvised; it lets defenders map their response back to specific tactic categories (initial access, persistence, exfiltration); and it produces an AAR that reads as a threat-informed exercise rather than a generic drill. MITRE overlay is increasingly an expectation at the L2 level, not a differentiator.
Can we run a tabletop ourselves or should we use a facilitator?
Both are valid. A self-run tabletop is cheaper and builds internal capability, but the team that designed the scenario tends to handle it well — defeating the diagnostic value of the exercise. A facilitated tabletop costs more but produces sharper findings, AAR rigor that holds up at assessment, and an outside perspective on gaps the internal team has normalized. The right pattern for most CMMC L2 contractors is one annually facilitated major exercise plus one or two internally-run focused drills.
What does the MacTech IR Tabletop Kit provide?
A single-tenant SaaS workflow for end-to-end exercise execution: wizard-driven scenario planning, AI custom scenario generator (Claude-drafted CMMC-aligned scenarios specific to your environment), seeded library of four production-ready scenarios at three difficulty levels, live facilitator console, MITRE ATT&CK overlay, structured AAR drafting with approver signoff, and an offline evidence bundle export sized for the C3PAO assessor binder. Maps directly to IR.L2-3.6.1, 3.6.2, and 3.6.3 in one defensible artifact set.
Run a CMMC-aligned tabletop in the next 30 days
Pick a scenario, schedule a facilitator, walk out with an assessment-ready After-Action Report. The kit handles the workflow; MacTech handles the design and the AAR rigor.