NIST SP 800-171 Incident Response Test

Incident Response Testing for NIST SP 800-171 & CMMC 2.0

Use our incident response tests to meet requirement 3.6.3.

Join our newsletter:

NIST SP 800-171 & CMMC 2.0 Control 3.6.3 requires that you “Test the organizational incident response capability”

By testing your incident response capability, you identify any weaknesses in your incident response plan. This helps you improve your incident response plan in preparation for a real incident.
One method for testing your incident response plan is to use “tabletop exercises.” According to the NIST glossary, a tabletop is “a discussion-based exercise where personnel with roles and responsibilities in a particular IT plan meet in a classroom setting or in breakout groups to validate the content of the plan by discussing their roles during an emergency and their responses to a particular emergency situation. A facilitator initiates the discussion by presenting a scenario and asking questions based on the scenario.”

Tabletop Exercise Scenarios You Can Use

Scenario 1: Lost USB Drive

John is a VP at ACME. The company prohibited the use of removable storage devices on all computers with the exception of a few employees who have a valid business need. One of the users with the exception was John. John is supposed to use an encrypted USB drive; however, John was recently using an unencrypted device to store company data. After a business trip, John noticed that he had lost his USB drive. John immediately reported the lost USB drive to ACME’s incident response team.
As the incident response team, what is the first action you would take?
What is our organization’s policy on removable storage devices?
What security controls do we have in place to restrict the use of removable storage devices?
What could have been done to prevent the incident involving John?

Scenario 2: Compromised User Account

Adam received a phishing email asking him to reset his Microsoft 365 password. The email appeared to come from Microsoft. Adam clicked the link and entered his old and “new” password on the form. Adam later noticed that his “new” password was not working so he contacted IT and informed them that he had just reset his password. IT checked the password reset logs and discovered that the password was not recently reset. Adam explained that he received an email where he clicked a link and “reset” his password. IT informed Adam that it was a phishing attack.
As the incident response team, what actions would you take to contain and recover from this incident?
What actions can we take to prevent this incident from occurring again?

Scenario 3: Unauthorized Access - Piggybacking

Sarah was entering the office using her keycard, behind her was a man carrying several boxes of donuts. He was not wearing a company provided badge. Sarah politely held the door open for him to enter the office. About 10 minutes later, the facility security officer noticed the man in the IT wiring closet. When asked who he was and why he was there, the man was unable to provide an adequate response and was escorted out of the building. Upon reviewing security camera footage, it was discovered that he entered the building using the piggybacking social engineering attack against Sarah.
As the incident response team, what actions would you take to respond to this incident?
How can we better prepare users for this type of attack?
How can we better prepare users for this type of attack?

Scenario 4: Unauthorized Configuration Change

Bill is the system administrator at ACME. This morning the helpdesk received a few requests to share OneDrive files externally. Currently, OneDrive files can only be shared with whitelisted domains. To “resolve” the tickets, Bill adjusted the SharePoint/OneDrive file sharing settings to allow file sharing with anyone. Upon reviewing various logs and reports, Doug, ACME’s cybersecurity analyst noticed that files were being shared with unauthorized external users.
What policy did Bill violate?
How should the incident be handled?
What should we do with Bill?
Do we have sufficient security controls in place to prevent these types of incidents?

Scenario 5: Use of Unauthorized Cloud Storage

James is working with a customer and needs to share a large company document with them. He tried to share it with them using his company OneDrive, but the customer’s domain is not whitelisted in SharePoint/OneDrive. James decides to upload the company document to his personal Google Drive and shares it with the customer.
What did James do wrong?
Do we have a policy preventing personnel from using unauthorized cloud storage?
How do we respond to this incident?
What can we do to prevent the incident from reoccurring?

Discover Our Cybersecurity Complaince Solutions:


NIST SP 800-171 & CMMC Compliance

Whether you need to meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements, help your clients meet them, or verify sub-contractor compliance we have the expertise and solution for you.

HIPAA Compliance

Whether you need to meet and maintain your HIPAA compliance requirements or help your clients meet them we have the expertise and solution for you.