Skip to main content

IR.L2-3.6.1Establish an operational incident-handling capability

Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

Verbatim NIST SP 800-171 Rev 2 requirement text (3.6.1).

SPRS weight: 5 ptsNot POA&M-eligible — must fix before assessment7 assessment objectives

How it's scored

5 points deducted from your SPRS score if unmet.

An open gap here is not POA&M-eligible (only 1-point requirements qualify under 32 CFR 170.21, with one narrow exception at SC.L2-3.13.11): it must be fully implemented before a Level 2 assessment can certify.

What an assessor checks: the 7 assessment objectives

NIST SP 800-171A determination statements, verbatim. A CMMC Level 2 assessor marks IR.L2-3.6.1 MET only when every applicable objective is satisfied — and examines evidence, not assertions.

ObjectiveDetermination statement
3.6.1[a]an operational incident-handling capability is established.
3.6.1[b]the operational incident-handling capability includes preparation.
3.6.1[c]the operational incident-handling capability includes detection.
3.6.1[d]the operational incident-handling capability includes analysis.
3.6.1[e]the operational incident-handling capability includes containment.
3.6.1[f]the operational incident-handling capability includes recovery.
3.6.1[g]the operational incident-handling capability includes user response activities.

Where do you stand on IR.L2-3.6.1?

The free Muster Score walks all 110 requirements — including every objective above — and computes your exact SPRS score in your browser. No signup, no upload, and your answers never leave your device.

Get your free Muster Score →

Requirement and objective text: NIST SP 800-171 Rev 2 / SP 800-171A (verbatim). Scoring: DoD Assessment Methodology v1.2.1; POA&M eligibility: 32 CFR 170.21. Muster is independent and not affiliated with the U.S. Department of Defense or the Cyber AB; this page is compliance information, not legal advice or a certification.