CMMC Consulting
CMMC Tabletop Exercises
Facilitated tabletop exercises that satisfy the CMMC Level 2 incident response testing requirement (IR.L2-3.6.3) — and produce the evidence artifacts your assessor will ask for.
- Scenario design tailored to your environment (ransomware, insider threat, CUI exposure, supply-chain attack)
- Facilitated 3–4 hour exercise with IT, security, executive leadership, and legal
- Injected complications that force real-time decisions on containment, notification, and DIBNet reporting
- After-action report with findings, POA&M-eligible remediation items, and process gaps
- Evidence package (participant list, scenario, timeline, after-action) sized for your SSP and assessor
- Optional annual retainer to keep exercises fresh as your environment changes
CMMC Tabletop Exercises
CMMC Level 2 requires you to test your incident response plan. Not “have one” — test it. Assessors will ask when you last did, and they will ask for the after-action documentation.
A tabletop exercise is how you meet that requirement without staging a real incident.
What we deliver
- Scenario design. We build a scenario tailored to your actual environment — the systems that hold CUI, the ESPs you rely on, the contracts you can’t afford to lose. Generic scenarios waste the exercise; specific ones expose real gaps.
- Facilitated exercise. A 3–4 hour session with your IT, security, executive, and legal leads. We inject complications in real time, force decisions, and challenge assumptions.
- After-action report. Written narrative of what happened, what people decided, and what should have happened. Every gap tagged as documentation, training, technical, or POA&M-eligible.
- Evidence packaging. Participant list, scenario, timeline, and after-action packaged for your SSP and control-family evidence library. This is the artifact your C3PAO will ask to see.
- Optional retainer. Annual or semi-annual cadence to keep exercises current with your environment.
Why this matters at assessment time
Every CMMC assessor knows that a well-written IR plan proves nothing on its own. The exercise — and the paper trail it leaves — is what proves the plan actually works. Contractors without recent tabletop evidence get an easy IR family finding at assessment.
We design our exercises so the after-action documentation is a direct fit for your assessor’s evidence expectations. No re-writing after the fact.
Frequently asked questions
What CMMC control does a tabletop exercise satisfy?
IR.L2-3.6.3 — Test the organizational incident response capability. Under NIST SP 800-171, testing must be periodic, structured, and documented. A tabletop exercise is the most common (and defensible) way small and mid-size contractors meet this requirement.
Who should attend?
At minimum: IT / security leadership, an executive sponsor (COO or GM), and someone from legal or contracts. For more complete scenarios, add HR, facilities, and — for CUI-specific scenarios — the CUI custodian or program manager. Keep the group small enough to have real discussions (usually 6–10 people).
What scenarios do you run?
Common CMMC-relevant scenarios include ransomware infecting a CUI enclave, a malicious insider exfiltrating CUI, an unnoticed misconfiguration exposing CUI on the public internet, and a supply-chain compromise (an ESP or software vendor breach). We tailor the scenario to your actual environment and contract portfolio.
What does the after-action report include?
A written narrative of the exercise, the decisions each participant made, a red-team review of gaps, and a prioritized list of process/plan changes. Every gap gets tagged as either a documentation fix, a training gap, a technical fix, or a POA&M-eligible finding — so the report drops straight into your compliance workflow.
How often should we run one?
Annually at minimum for CMMC compliance. Some organizations run two per year — one general-scope and one program-specific. A tabletop after any significant environment change (major migration, new contract award, new tooling) is also good practice.
Is the exercise disruptive to daily operations?
No. Tabletop exercises are conversation-based, not technical. Nothing in your production environment is touched. The exercise runs 3–4 hours in a conference room or video call.
Related services
CMMC Consulting
Network & Endpoint Hardening
Technical implementation of the CMMC controls that assessors touch first — segmentation, MFA, encryption, endpoint detection, and configuration baselines aligned to NIST SP 800-171 SC, AC, CM, and SI control families.
Learn more
CMMC Consulting
DFARS 7012 Incident Reporting Readiness
Turn the DFARS 252.204-7012 72-hour cyber-incident reporting clause from a compliance liability into a documented, tested playbook — with the DIBNet reporting flow, evidence preservation procedures, and IR plan aligned to NIST SP 800-61.
Learn more
CMMC Consulting
C3PAO Assessment Prep
Structured preparation for a Certified Third-Party Assessor Organization (C3PAO) Level 2 assessment — mock assessments, evidence packaging, and interview coaching for the personnel your assessor will speak with.
Learn more
Ready to talk?
Tell us where you are in your CMMC journey and we'll follow up within one business day.