Giga-Green Giga-Green

CMMC Consulting

CMMC Tabletop Exercises

Facilitated tabletop exercises that satisfy the CMMC Level 2 incident response testing requirement (IR.L2-3.6.3) — and produce the evidence artifacts your assessor will ask for.

CMMC Tabletop Exercises

CMMC Level 2 requires you to test your incident response plan. Not “have one” — test it. Assessors will ask when you last did, and they will ask for the after-action documentation.

A tabletop exercise is how you meet that requirement without staging a real incident.

What we deliver

  • Scenario design. We build a scenario tailored to your actual environment — the systems that hold CUI, the ESPs you rely on, the contracts you can’t afford to lose. Generic scenarios waste the exercise; specific ones expose real gaps.
  • Facilitated exercise. A 3–4 hour session with your IT, security, executive, and legal leads. We inject complications in real time, force decisions, and challenge assumptions.
  • After-action report. Written narrative of what happened, what people decided, and what should have happened. Every gap tagged as documentation, training, technical, or POA&M-eligible.
  • Evidence packaging. Participant list, scenario, timeline, and after-action packaged for your SSP and control-family evidence library. This is the artifact your C3PAO will ask to see.
  • Optional retainer. Annual or semi-annual cadence to keep exercises current with your environment.

Why this matters at assessment time

Every CMMC assessor knows that a well-written IR plan proves nothing on its own. The exercise — and the paper trail it leaves — is what proves the plan actually works. Contractors without recent tabletop evidence get an easy IR family finding at assessment.

We design our exercises so the after-action documentation is a direct fit for your assessor’s evidence expectations. No re-writing after the fact.

Frequently asked questions

What CMMC control does a tabletop exercise satisfy?

IR.L2-3.6.3 — Test the organizational incident response capability. Under NIST SP 800-171, testing must be periodic, structured, and documented. A tabletop exercise is the most common (and defensible) way small and mid-size contractors meet this requirement.

Who should attend?

At minimum: IT / security leadership, an executive sponsor (COO or GM), and someone from legal or contracts. For more complete scenarios, add HR, facilities, and — for CUI-specific scenarios — the CUI custodian or program manager. Keep the group small enough to have real discussions (usually 6–10 people).

What scenarios do you run?

Common CMMC-relevant scenarios include ransomware infecting a CUI enclave, a malicious insider exfiltrating CUI, an unnoticed misconfiguration exposing CUI on the public internet, and a supply-chain compromise (an ESP or software vendor breach). We tailor the scenario to your actual environment and contract portfolio.

What does the after-action report include?

A written narrative of the exercise, the decisions each participant made, a red-team review of gaps, and a prioritized list of process/plan changes. Every gap gets tagged as either a documentation fix, a training gap, a technical fix, or a POA&M-eligible finding — so the report drops straight into your compliance workflow.

How often should we run one?

Annually at minimum for CMMC compliance. Some organizations run two per year — one general-scope and one program-specific. A tabletop after any significant environment change (major migration, new contract award, new tooling) is also good practice.

Is the exercise disruptive to daily operations?

No. Tabletop exercises are conversation-based, not technical. Nothing in your production environment is touched. The exercise runs 3–4 hours in a conference room or video call.

Ready to talk?

Tell us where you are in your CMMC journey and we'll follow up within one business day.