Part of a Collection
This article is part of the collection: The 14 CMMC Domains: A Comprehensive Guide
CMMC Domains
CMMC Deep Dive: Incident Response (IR)
A detailed guide to the Incident Response (IR) domain, covering preparation, analysis, containment, and recovery.
Published: June 25th, 2024By: CMMC Dashboard TeamLast updated: August 7th, 2025
Incident Response
IR
Breach
DFARS
This article is part of our series on The 14 CMMC Domains.
The Incident Response (IR) domain establishes the need for a formal capability to handle security incidents. It's not a matter of if an incident will occur, but when, and this domain ensures you are prepared.
Why It Matters
A well-executed incident response plan can significantly reduce the impact of a breach, including financial loss, reputational damage, and operational downtime. For DoD contractors, it also includes specific reporting requirements.
Key Practices
- IR.L2-3.6.1: Establish an operational incident handling capability.
- IR.L2-3.6.2: Track, document, and report incidents to appropriate officials.
- IR.L2-3.6.3: Test the incident response capability.
What Assessors Look For
- A formal, documented Incident Response Plan (IRP).
- An officially designated Incident Response Team (IRT) with defined roles.
- Records of past incidents and how they were handled.
- Evidence of IRP testing (e.g., tabletop exercise reports).
- Proof of reporting to DIBNet, as required by DFARS.