🛡️ CMMC 2.0 / DFARS Toolkit

Meet CMMC 2.0 & DFARS 252.204-7012 with
Ready-to-Run Incident Response Exercises

CMMC 2.0 — built on NIST SP 800-171 — requires defense contractors to establish and test an incident response capability and to train their workforce, while DFARS 252.204-7012 demands rapid reporting of cyber incidents to DoD. CyberICS provides 300+ ready-to-run tabletop scenarios, AI-generated After Action Reports, and audit-ready evidence — so contractors handling FCI and CUI can demonstrate IR and training maturity to a C3PAO or DIBCAC assessor.

IR.L2-3.6.1/.2/.3 — Incident response & testing
AT.L2-3.2 — Awareness & role-based training
DFARS 252.204-7012 — 72-hour reporting
NIST SP 800-171 — 110 controls, 14 families
Pairs with NISPOM (32 CFR 117)
Start Free — 14-Day Trial 📋 Take the CMMC 2.0 Readiness Assessment → Talk to Our DIB Compliance Team
Compliance & Handling Note: CyberICS exercises and evidence artifacts support CMMC 2.0 / NIST SP 800-171 incident response (IR) and awareness & training (AT) objectives and DFARS 252.204-7012 reporting readiness as part of a structured program. They are not a CMMC certification — that requires a self-assessment (Level 1) or a C3PAO / DIBCAC assessment (Levels 2–3). Do not enter actual Controlled Unclassified Information (CUI) into the platform; it is for unclassified training and exercise content and completion records.
Who CMMC 2.0 Applies To

From Federal Contract Information to Controlled Unclassified Information

CMMC 2.0 has three levels keyed to the sensitivity of the information a contractor handles. Every company in the DoD supply chain — prime or sub — falls into one, and incident-response testing and training run through all of them.

Level 1 — Foundational (FCI)

17 Practices · Annual Self-Assessment

Contractors that process, store, or transmit Federal Contract Information (FCI) must implement the 17 Level 1 practices (FAR 52.204-21) and self-assess annually with a senior-official affirmation in SPRS.

  • Commercial & non-CUI DoD suppliers
  • Lower-tier subcontractors handling FCI only
  • Basic access control, identification, and media protection
Exercises build the awareness & basic IR habits that carry forward as a contractor grows into CUI work.
Level 2 / 3 — Advanced & Expert (CUI)

110+ Practices · C3PAO / DIBCAC Assessment

Contractors handling Controlled Unclassified Information must implement the 110 NIST SP 800-171 controls (Level 2 — third-party C3PAO assessment every 3 years for prioritized CUI), with Level 3 adding enhanced NIST SP 800-172 controls under DIBCAC assessment for the highest-priority programs.

  • Primes & subs handling CUI / CDI
  • Weapons, aerospace, C4ISR, and R&D programs
  • Incident response (IR) capability that must be tested
  • DFARS 252.204-7012 rapid (72-hour) reporting
Tabletop exercises directly evidence IR.L2-3.6.3 incident-response testing, AT.L2-3.2 training, and DFARS 7012 reporting readiness for a C3PAO/DIBCAC assessment.
🛡️

One Platform for the Cleared & Controlled Defense Supply Chain

CMMC protects CUI; NISPOM (32 CFR 117) governs classified work and insider threat. Most defense contractors carry both. CyberICS runs the incident-response and training exercises — and produces the evidence — for each, in one place. See the companion NISPOM / DCSA toolkit →

🇬🇧 English 🇫🇷 Français 🇵🇹 Português 🇪🇸 Español 🇩🇪 Deutsch 🇮🇹 Italiano
CMMC 2.0 / NIST SP 800-171 Mapping

Control Families → CyberICS Capability

CMMC 2.0 Level 2 mirrors the 110 NIST SP 800-171 controls across 14 families. Tabletop exercises directly satisfy the incident-response-testing and training requirements, support DFARS 7012 reporting readiness, and generate evidence for several more families.

CMMC 2.0 / NIST SP 800-171 Requirements Reference

Coverage: Core = exercise directly satisfies the objective  |  Supporting = exercise validates / documents  |  Partial = scenario content covers the domain

Domain / Ref Family Requirement Summary CyberICS Capability Coverage
IR.L2-3.6.1/.2/.3 Incident Response (IR) Establish an operational incident-handling capability and test the organizational incident-response capability Live Session mode executes structured IR exercises end-to-end; the AI AAR documents detection, containment, eradication, and recovery — the test record IR.L2-3.6.3 requires Core
AT.L2-3.2.1/.2/.3 Awareness & Training (AT) Security awareness for all users and role-based training for those with security duties; insider-threat awareness Exercises are recurring, role-based training with per-participant completion records; insider-threat scenarios reinforce AT.L2-3.2.3 Core
DFARS 252.204-7012 Cyber-Incident Reporting Rapidly report cyber incidents affecting covered defense information to DoD (DIBNet) within 72 hours; preserve media The DFARS reporting drill rehearses the 72-hour report decision, content, and DIBNet submission under realistic pressure Core
CA.L2-3.12.1/.2/.4 Security Assessment (CA) Assess controls periodically, develop and update a POA&M, and maintain a system security plan AARs and Gap Analysis feed the POA&M with prioritized, dated corrective actions; exercise history evidences ongoing assessment activity Supporting
RA.L2-3.11.1 Risk Assessment (RA) Periodically assess risk to operations, assets, and individuals Scenario-driven exercises surface real risk and control gaps that inform the periodic risk assessment Supporting
AC.L2-3.1 Access Control (AC) Limit system access to authorized users, processes, and devices; least privilege Insider and privilege-escalation scenarios exercise access-control response; AARs flag access-management gaps Supporting
SI.L2-3.14 System & Information Integrity (SI) Identify, report, and correct flaws; protect against malicious code; monitor alerts Ransomware and malware scenarios exercise flaw/alert response; AARs document integrity-monitoring gaps Partial
AU.L2-3.3 Audit & Accountability (AU) Create and retain audit logs; review and analyze for indications of inappropriate activity Timestamped session transcripts and exercise activity provide an auditable accountability record Partial
CM.L2-3.4 Configuration Management (CM) Establish and maintain baseline configurations and inventories Scenario content references configuration and asset-management gaps; AAR flags CM weaknesses surfaced in play Partial
Platform Capabilities

How CyberICS Supports Your CMMC 2.0 Program

Three core capabilities work together to deliver, document, and evidence your incident-response and training objectives for a C3PAO or DIBCAC assessment.

🎲
IR.L2-3.6 · AT.L2-3.2

Structured Exercise Execution

Live Session mode runs real-time, multi-participant IR exercises. Every step, response, and host action is timestamped — producing the incident-response test record and the training-participation evidence CMMC requires.

  • Per-user participation & completion record
  • Step-by-step IR walkthrough log
  • Session date, scope, and duration metadata
  • Detection → containment → recovery trace
📋
IR.L2-3.6.3 · DFARS 7012

AI-Generated After Action Report

Immediately after each exercise, CyberICS generates a structured AAR documenting the response, gaps, and CMMC / 800-171 control references — the artifact that proves your IR capability was tested and what it found.

  • NIST SP 800-171 control references per gap
  • Corrective actions ready for the POA&M
  • DFARS 7012 reporting-readiness notes
  • Multilingual output (EN/FR/PT/ES/DE/IT)
📄
CA.L2-3.12 Assessment

C3PAO / DIBCAC Evidence Pack

The Compliance Dashboard assembles a CMMC evidence package — IR test records, training completion, control-coverage map, and a POA&M-ready gap list — so you walk into the assessment with the IR and AT evidence already built.

  • Incident-response test record (IR.L2-3.6.3)
  • Training completion roster (AT.L2-3.2)
  • 800-171 control-coverage map
  • Gap & POA&M remediation timeline
Scenario Library

CMMC-Relevant Scenarios for the Defense Industrial Base

Six high-fidelity scenarios built around CUI protection, incident response, and DFARS reporting — ready to run with AI facilitator briefing included.

CUI Theft · Phishing
IR.L2-3.6 · DFARS 7012
CUI Exfiltration via Spear-Phishing

A targeted phishing campaign harvests credentials and reaches the CUI enclave. Exercises detection, containment, and the DFARS 252.204-7012 reporting decision under time pressure.

IR.L2-3.6 DFARS 7012 AC.L2-3.1
Ransomware · CUI Enclave
IR.L2-3.6 · SI.L2-3.14
Ransomware on the CUI Enclave

Ransomware encrypts the environment that stores covered defense information, threatening delivery and recovery. Tests incident response, continuity, and reporting obligations.

IR.L2-3.6 SI.L2-3.14 DFARS 7012
Incident Reporting Drill
DFARS 252.204-7012
DFARS 72-Hour Report Drill

A confirmed compromise of covered defense information triggers the 72-hour clock. The team must scope impact, preserve media, and submit the rapid report to DoD via DIBNet.

DFARS 7012 IR.L2-3.6 CA.L2-3.12
Supply Chain · Subcontractor
IR.L2-3.6 · Supply Chain
Compromised Subcontractor / MSP

A trusted subcontractor or managed service provider with access to your CUI is breached, creating a pivot risk. Exercises cross-organization coordination and reporting flow-down.

Supply Chain IR.L2-3.6 NISPOM 117.8(f)
Insider · CUI Mishandling
AC.L2-3.1 · AT.L2-3.2
Insider CUI Mishandling

A cleared employee mishandles or exfiltrates CUI, intentionally or through negligence. Exercises access-control response, reporting, and the awareness-training gaps it reveals.

AC.L2-3.1 AT.L2-3.2 Insider Threat
Cloud / MSP · CUI Spillover
SC.L2-3.13 · IR.L2-3.6
CUI Spillover to Unauthorized Cloud

CUI is discovered in an unauthorized cloud or collaboration tool that does not meet 800-171 / FedRAMP-equivalent requirements. Tests containment, spill response, and reporting.

SC.L2-3.13 IR.L2-3.6 DFARS 7012

Plus 300+ additional ICS/OT and enterprise scenarios across the sectors the DIB operates in. Browse the full library →

Evidence Artifacts

Audit-Ready Documentation for Your CMMC Assessment

Every CyberICS exercise generates four categories of evidence supporting CMMC 2.0 / NIST SP 800-171 incident-response and training demonstration during a C3PAO or DIBCAC assessment.

🛡️
Incident-Response Test Record

AAR + session log proving the incident-response capability was exercised — the artifact IR.L2-3.6.3 ("test the organizational IR capability") calls for.

IR.L2-3.6.3
🎓
Training Completion Record

Per-user participation and completion roster evidencing security awareness and role-based training activity.

AT.L2-3.2
📧
DFARS 7012 Report Rehearsal

Timestamped log of a 72-hour reporting drill — decision, content, and DIBNet submission steps — demonstrating reporting readiness.

DFARS 252.204-7012
📊
C3PAO / DIBCAC Evidence Pack

Consolidated PDF: IR test record, training roster, 800-171 control-coverage map, and a POA&M-ready gap and remediation list.

CA.L2-3.12

Explore the Full Regulatory Toolkit Library

CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

Ready to Test Your Incident Response Before Your C3PAO Does?

Start with a free 14-day trial — no credit card required. Or speak with our DIB team about a standing CMMC 2.0 incident-response and training exercise program that pairs with your NISPOM obligations.

Also explore: NISPOM / DCSA Toolkit  ·  NIST SP 800-82 Toolkit  ·  CISA CTEP Toolkit