Building a Bulletproof Incident Response Plan

Eric Marquette

Welcome back to CMMC Unlocked, the go-to spot for all things compliance and cybersecurity. I’m Eric Marquette, here with Ruby, Paul, and Roz—and today we’re rolling up our sleeves on incident response plans. Now, last time out we talked a lot about simulation-based training, but today we're zooming in on what makes an actual incident response plan tick, especially through the NIST lens. Paul, why don’t you get us started with the basics as NIST lays them out?

Paul Netopski

Absolutely, Eric. The backbone here is NIST Special Publication 800-61 Rev 2, which details the structure of an effective incident response plan. They break it into clear phases—preparation, detection and analysis, containment, eradication, and recovery. Think of it as a lifecycle, not just a checklist. Preparation is all about readiness: defining what constitutes an incident, assembling your team, and setting up communication protocols. Detection and analysis is where you figure out something’s wrong, ideally as quickly as possible. Containment is about stopping the bleeding so to speak, while eradication is removing the root cause, and then finally, recovery brings your systems back to normal operations. And an often-overlooked piece: documenting everything as you go.

Ruby Sturt

Right, and just to add—if you’re handling Controlled Unclassified Information or working toward CMMC certification, NIST SP800-171 rev 2 actually makes documenting, reviewing, and keeping those procedures up to date a requirement. It’s not a “nice-to-have,” it’s a “must-or-no-contract-for-you” kind of situation, especially with the latest DoD pushes. So you’ll need to test your plan and update it whenever there’s a significant change, or after any incident big or small.

Roz the Rulemaker

Let’s not forget, those requirements aren’t just paperwork—there’s legal teeth here. Under DFARS and CMMC, regular review and testing are what’s going to show auditors, or, in a worst-case scenario, the government, that you're walking the walk. And I’ve seen contractors trip up when they treat incident response as a static binder on a shelf, instead of a living, breathing program that needs revisiting.

Paul Netopski

You’re spot on, Roz. Let me share a quick case—you remember that small defense contractor we worked with last year, the one with maybe fifteen IT staff across three states? We started by mapping out their roles—who’s the decision maker, who’s got the authority to pull the plug, who contacts their MSSP or the Feds—right down to legal and public relations reps. We wrote everything out and put together a solid tabletop communications plan. The big win was actually doing a review every quarter, not just annually. We found and corrected half a dozen gaps in call trees and privilege escalation chains just because people had shifted roles. It’s those real reviews and properly-documented responsibilities that make a plan NIST-compliant—and genuinely actionable when things go sideways.

Eric Marquette

I like that—making it real by weaving those roles into the day-to-day rather than waiting for things to break. And, Ruby, you hit the nail on the head—it’s about keeping things fresh. That brings us nicely over to how we keep these plans resilient. Let’s jump into testing and best practices, shall we?

Ruby Sturt

Oh, I love this bit—mainly because I’ve definitely learned the hard way. You know, it’s wild how many folks whip up a flashy doc and call it their response plan, but then never test it until something explodes. But testing is everything! Tabletop exercises—super helpful, even if they start with “let’s imagine”. Only, here’s the kicker: we once had this big laptops-around-the-room exercise, scenario gets rolling... and five minutes in, the WiFi drops out. Everyone’s panicking—in the fake scenario and in real life! It was a disaster, and honestly? Best lesson ever. If you don’t test with real-world variables, you have no idea if your plan actually works.

Paul Netopski

That’s classic, Ruby. And testing isn’t just tabletops—NIST suggests mixing in red teaming and live simulations when possible. The more you blend in actual technical disruptions or unexpected situations, the more resilient your plan gets. Red teaming lets you spot gaps that would escape even the best policy reviews. And for CMMC, regular plan review and update is central to compliance, but also to surviving a real attack. All your documentation—who did what, when, and why—should be thorough because, in an audit, if you can’t produce records, it didn’t happen as far as assessors are concerned.

Roz the Rulemaker

And I’d add: the best plans align updates and procedures with threats as they evolve. That means if your business hits a new market or adopts new tech, your IRP needs to reflect that shift. Plus, incident response isn’t just for your IT folks. Involving legal, PR, HR, and facilities? That’s not just bureaucracy, it’s best practice. Cross-departmental roles build resilience. The documentation piece Ruby mentioned—it protects you not only from operational chaos, but also from regulatory headaches during an audit or review down the line.

Eric Marquette

And don’t forget the after-action reviews. As we touched on in our previous episode, honest post-incident or post-test reviews are where the best improvements come from. They keep you learning, iterating, and actually closing the loop. It’s a bit like sticking around after the game to watch the replay and figure out what happened—except the stakes are much, much higher! All right, let’s take this a step further: How do you bring outside experts and your MSSP into the fold so they add real value—before, during, and after an incident?

Roz the Rulemaker

Great segue, Eric. You know, for most defense contractors—especially smaller ones—partnering with an MSSP isn’t just a cost save, it’s a compliance multiplier. But integration is the name of the game. Your MSSP can’t just be a phone number for emergencies; they’ve got to be looped into your response plans and ongoing exercises. That means documented workflows, clear lines for sharing threat intelligence, and testing those connections regularly. Leaving your MSSP on the sideline during exercises? That’s a missed opportunity and potentially a compliance risk.

Paul Netopski

Right, Roz. For example, providers like Vertek take this a step further. They deliver managed XDR, which means 24x7 monitoring by actual people—not just algorithms—and hands-on support for ransomware response, including compliance-ready docs and even orchestrated recovery exercises. What matters is their ability to unify security controls—identity, endpoint, SIEM—so detection, investigation, and response are seamless. For CMMC, having all this integrated and documented simplifies assessments too. And, crucially, Vertek offers regular, real-world ransomware scenario tests, so your playbooks aren’t just theory—they’re field-tested. That’s something we routinely advise: make the MSSP a core part of your IRP, not just a service you call when alarms go off.

Eric Marquette

Yeah, and just to make this practical, I saw one defense customer cut their ransomware recovery downtime from over three weeks to less than a week by involving their MSSP—Vertek, in this case—from the ground up. By including them in all the quarterly plan reviews and scenario exercises, they already knew the systems, the contacts, and even the quirks of the environment. So when the worst happened, the response wasn't just faster, it was almost automatic. Having their hands in every stage—from policy tweaks to technical recovery—meant there were no nasty surprises, and every document, every artifact, was ready for the next compliance check.

Ruby Sturt

That’s it! And honestly, when you stitch all of this together—NIST structure, real testing, and an integrated MSSP—it just makes the whole incident response process smoother. Even if, ahem, your WiFi betrays you mid-scenario. Anyway, folks, thanks for sticking with us through another meaty episode. There’s plenty more to unpack in coming weeks, so keep those questions coming.

Roz the Rulemaker

Glad to be here, everyone. Remember, a robust incident response plan isn’t just a compliance checkbox, it’s the backbone of cyber resilience. See you all next time!

Paul Netopski

Always a pleasure—stay vigilant out there, and don’t settle for theory when practice will save your hide. Until next episode.

Eric Marquette

And it’s goodbye from all of us at CMMC Unlocked. Take care, Ruby, Paul, Roz—looking forward to the next roundtable!

Ruby Sturt

Catch ya later, team! And don’t forget—test your backups before you need them. Cheers!