CMMC 2.0 — built on NIST SP 800-171 — requires defense contractors to establish and test an incident response capability and to train their workforce, while DFARS 252.204-7012 demands rapid reporting of cyber incidents to DoD. CyberICS provides 300+ ready-to-run tabletop scenarios, AI-generated After Action Reports, and audit-ready evidence — so contractors handling FCI and CUI can demonstrate IR and training maturity to a C3PAO or DIBCAC assessor.
CMMC 2.0 has three levels keyed to the sensitivity of the information a contractor handles. Every company in the DoD supply chain — prime or sub — falls into one, and incident-response testing and training run through all of them.
Contractors that process, store, or transmit Federal Contract Information (FCI) must implement the 17 Level 1 practices (FAR 52.204-21) and self-assess annually with a senior-official affirmation in SPRS.
Contractors handling Controlled Unclassified Information must implement the 110 NIST SP 800-171 controls (Level 2 — third-party C3PAO assessment every 3 years for prioritized CUI), with Level 3 adding enhanced NIST SP 800-172 controls under DIBCAC assessment for the highest-priority programs.
CMMC protects CUI; NISPOM (32 CFR 117) governs classified work and insider threat. Most defense contractors carry both. CyberICS runs the incident-response and training exercises — and produces the evidence — for each, in one place. See the companion NISPOM / DCSA toolkit →
CMMC 2.0 Level 2 mirrors the 110 NIST SP 800-171 controls across 14 families. Tabletop exercises directly satisfy the incident-response-testing and training requirements, support DFARS 7012 reporting readiness, and generate evidence for several more families.
| Domain / Ref | Family | Requirement Summary | CyberICS Capability | Coverage |
|---|---|---|---|---|
| IR.L2-3.6.1/.2/.3 | Incident Response (IR) | Establish an operational incident-handling capability and test the organizational incident-response capability | Live Session mode executes structured IR exercises end-to-end; the AI AAR documents detection, containment, eradication, and recovery — the test record IR.L2-3.6.3 requires | Core |
| AT.L2-3.2.1/.2/.3 | Awareness & Training (AT) | Security awareness for all users and role-based training for those with security duties; insider-threat awareness | Exercises are recurring, role-based training with per-participant completion records; insider-threat scenarios reinforce AT.L2-3.2.3 | Core |
| DFARS 252.204-7012 | Cyber-Incident Reporting | Rapidly report cyber incidents affecting covered defense information to DoD (DIBNet) within 72 hours; preserve media | The DFARS reporting drill rehearses the 72-hour report decision, content, and DIBNet submission under realistic pressure | Core |
| CA.L2-3.12.1/.2/.4 | Security Assessment (CA) | Assess controls periodically, develop and update a POA&M, and maintain a system security plan | AARs and Gap Analysis feed the POA&M with prioritized, dated corrective actions; exercise history evidences ongoing assessment activity | Supporting |
| RA.L2-3.11.1 | Risk Assessment (RA) | Periodically assess risk to operations, assets, and individuals | Scenario-driven exercises surface real risk and control gaps that inform the periodic risk assessment | Supporting |
| AC.L2-3.1 | Access Control (AC) | Limit system access to authorized users, processes, and devices; least privilege | Insider and privilege-escalation scenarios exercise access-control response; AARs flag access-management gaps | Supporting |
| SI.L2-3.14 | System & Information Integrity (SI) | Identify, report, and correct flaws; protect against malicious code; monitor alerts | Ransomware and malware scenarios exercise flaw/alert response; AARs document integrity-monitoring gaps | Partial |
| AU.L2-3.3 | Audit & Accountability (AU) | Create and retain audit logs; review and analyze for indications of inappropriate activity | Timestamped session transcripts and exercise activity provide an auditable accountability record | Partial |
| CM.L2-3.4 | Configuration Management (CM) | Establish and maintain baseline configurations and inventories | Scenario content references configuration and asset-management gaps; AAR flags CM weaknesses surfaced in play | Partial |
Three core capabilities work together to deliver, document, and evidence your incident-response and training objectives for a C3PAO or DIBCAC assessment.
Live Session mode runs real-time, multi-participant IR exercises. Every step, response, and host action is timestamped — producing the incident-response test record and the training-participation evidence CMMC requires.
Immediately after each exercise, CyberICS generates a structured AAR documenting the response, gaps, and CMMC / 800-171 control references — the artifact that proves your IR capability was tested and what it found.
The Compliance Dashboard assembles a CMMC evidence package — IR test records, training completion, control-coverage map, and a POA&M-ready gap list — so you walk into the assessment with the IR and AT evidence already built.
Six high-fidelity scenarios built around CUI protection, incident response, and DFARS reporting — ready to run with AI facilitator briefing included.
A targeted phishing campaign harvests credentials and reaches the CUI enclave. Exercises detection, containment, and the DFARS 252.204-7012 reporting decision under time pressure.
Ransomware encrypts the environment that stores covered defense information, threatening delivery and recovery. Tests incident response, continuity, and reporting obligations.
A confirmed compromise of covered defense information triggers the 72-hour clock. The team must scope impact, preserve media, and submit the rapid report to DoD via DIBNet.
A trusted subcontractor or managed service provider with access to your CUI is breached, creating a pivot risk. Exercises cross-organization coordination and reporting flow-down.
A cleared employee mishandles or exfiltrates CUI, intentionally or through negligence. Exercises access-control response, reporting, and the awareness-training gaps it reveals.
CUI is discovered in an unauthorized cloud or collaboration tool that does not meet 800-171 / FedRAMP-equivalent requirements. Tests containment, spill response, and reporting.
Plus 300+ additional ICS/OT and enterprise scenarios across the sectors the DIB operates in. Browse the full library →
Every CyberICS exercise generates four categories of evidence supporting CMMC 2.0 / NIST SP 800-171 incident-response and training demonstration during a C3PAO or DIBCAC assessment.
AAR + session log proving the incident-response capability was exercised — the artifact IR.L2-3.6.3 ("test the organizational IR capability") calls for.
Per-user participation and completion roster evidencing security awareness and role-based training activity.
Timestamped log of a 72-hour reporting drill — decision, content, and DIBNet submission steps — demonstrating reporting readiness.
Consolidated PDF: IR test record, training roster, 800-171 control-coverage map, and a POA&M-ready gap and remediation list.
CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.
Start with a free 14-day trial — no credit card required. Or speak with our DIB team about a standing CMMC 2.0 incident-response and training exercise program that pairs with your NISPOM obligations.
Also explore: NISPOM / DCSA Toolkit · NIST SP 800-82 Toolkit · CISA CTEP Toolkit