NIST SP 800-171 Rev 2 requirement 3.6.3 mandates that organizations test their incident response capability to ensure it is operational, effective, and capable of handling real-world cyber incidents involving controlled unclassified information (CUI). Testing must be periodic and purposeful, validating that personnel know their roles, that tools and communication channels function as expected, and that the organization can execute detection, containment, analysis, and recovery steps. Testing may take the form of tabletop exercises, functional drills, full-scale simulations, or reviews of after-action reports from actual incidents. Results of testing must be documented and used to identify gaps, update the incident response plan, and improve organizational readiness. This practice directly supports the broader requirement (3.6.1) to establish an operational incident-handling capability and ensures that capability does not exist only on paper.
Where it stops · what it isn't
- —This practice does not require organizations to establish the incident response plan itself — that is covered by IR-L2-3.6.1
- —This practice does not mandate a specific testing frequency or prescribe a single testing methodology; organizations have discretion in choosing appropriate test types
- —This practice does not cover incident reporting to external authorities such as US-CERT or the DoD — that is addressed by IR-L2-3.6.2
- —This practice does not require penetration testing or red team engagements, though those may satisfy the requirement if scoped to IR capability validation
- —This practice does not govern the content or structure of the incident response plan, only whether the plan and its execution have been tested and validated
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/incident-response