Conducting a test of one’s incident response plan is required under both the National Institute of Standards and Technology Special Publication 800-171 “Protecting Controlled Unclassified Information” (NIST SP:800-171) Section 3.6.3 and the Cybersecurity Maturity Model Certification (CMMC) IR.3.099.

Why is it important to conduct these exercises? Because presumption is the mother of all screw ups. To quote Mike Tyson, “Everyone thinks they have a plan until they are punched in the face.”

Whether it is CMMC or cybersecurity in general, history has shown us that misguided presumptions have been the Achilles heel in every enterprise system hack. Personally, I have been through this exercise probably ten times over the course of twenty years in cyber. I have always prided myself on creating work products that are actionable, repeatable, and legally defensible.  To that end, I have seen where many organizations have made mistakes and I like to apply those lessons learned in-house as well as to our clients.

Having said that, recent events were very enlightening, and this post hopefully provides you value.

The Basics

There are many templates companies or in this case Organizations Seeking Certification (OSCs) can use.  NIST SP:800-171 and CMMC state you must have an Incident Response Plan (IRP) but does not dictate the structure.  There are though some “must haves” in an IRP such as identifying who critical stakeholders are in a crisis event. Or what constitutes the trigger for the IRP as not all cyber events qualify as an actual cyber “incident”.

Do you have a clearly defined escalation path with internal and external call trees?

Most of your probably have what you honestly believe is an accurate and complete IRP.  But then again, this is why we test the IRP.

The Scenario

My gut tells me most people select “Ransomware” as the scenario.  It is a good one but depending on the level of expertise and maturity of the OSC, the reality of how it plays out may likely dilute the value of the exercise.

We opted for a BYOD smartphone that was compromised that was tethered into a laptop (for charging) and subsequently, performance of the employee’s laptop was notable and logs showed files ranging between 500mb to 2Gb that were encrypted going outbound to an IP address associated with an Amazon Data Center in Malaysia.

The Fun Begins

For the purpose of brevity, the end result was the “event” was determined to warrant  an “incident” after more analysis was done by our team. So now we initiate the external call tree plan as defined in our IRP. I am lucky that my CEO has an art background and created a clear and concise flow diagram that highlights who gets called and at what stage.

Part of the requirement under the Defense Federal Acquisition Regulations Supplement (DFARS) is that you have to notify the Defense Department within 72 hours at But what do you do between Hours 1-71? Here are some questions to consider:

  • Have you established a relationship with you local law enforcement Criminal Investigation Division (CID) ?
  • Does you local law enforcement even have a CID that has the capabilities to respond?

“I can call the FBI, right?”  – Depends

Unless your dollar value loss is over $250,000, expect a gentle hang up of the phone. If it is over $250,000, congrats!  Take a number and get in line.

As a former police officer and detective, I can tell you most local agencies will merely look at it as an administrative task to create a police report. So, for all intents and purposes, look at your cyber event as a minor car wreck. You need the police because without a report number, the insurance will not validate the claim.

Lesson Learned – 17 minutes burned trying to get to the right person within the local police department only to be ultimately told “Call 911”.

  • Do you have cyber insurance? If yes, things to know:
  1. The policy you have likely includes incident response, forensics, containment, eradication and restoration.
  2. You may have contractual obligations to use who the policy dictates. This is known as “a panel”. The panel is designed to deploy at a moments notice with pre-negotiated rates for incident response plus legal, breach notifications, and a slew of other features (depending on the policy)

Notice: Does you policy “ensure” that only U.S. Citizens are part of the response team?  Get it in writing! Think of how well the DOD will look at your response if you advise that foreign nationals touched your CUI or even Level 1 rated systems.

Lesson Learned – 34 minutes burned.   The number you call is NOT tied to your agent nor underwriter. There is likely a hotline number that even they, may ultimately direct you to yet another number.

  • Are you using hosted solutions like Microsoft or Amazon?
  1. The number you call for Microsoft GCC HIGH environment is not the same as the commercial side.
  • Is your IRP in digital and paper format?
  1. Is it actively communicated in a way so all employees know exactly who to call/contact?
  2. Is the paper version in a conspicuous place?
  3. Does the IRP have the cyber insurance policy directly with it? This is not a must have but it sure as heck is nice to have at your fingertips when it hits the fan.


Lesson Learned – Create a charge code.

One widely overlooked aspect of preparing for a crisis event is the ability to accurately track the total amount of time, and therefore costs, associated with internal burn rates.  By establishing a charge code in advance, the impacted company can socialize with employees how to charge their time in a way that creates definitive objective evidence for claims purposes. 

This exercise illustrated ways we can reduce our crisis management response time by over 50 minutes.  Time aside, just as Mike Tyson quoted above, I am telling you as a matter of historical and biological factors that human beings panic easily and quickly.  Having the ability to run through a test, like I just outlined, reduces the factors of stress and hysteria associated with unknown variables.


P.S. If you really want an IRP scenario, try using one that includes where your systems, assets, and people cause harm to another’s system and then validate your external call tree as well as insurance. You may learn some interesting aspects of your insurance coverage…and limitations for 3rd party damages.

To learn more about to how to ensure your Incident Response Capabilities live up to your expectations, contact SoundWay for a free consultation at