CMMC does not just want an IR plan. It wants you to test it.

CMMC certification is how a company stays eligible for US Department of Defense contracts, and it asks for more than a binder of policies. To reach Level 2 you have to meet the practices in NIST SP 800-171, and two of them are about your people, not your paperwork. You have to train them, and you have to test your incident response capability. A slide deck and a filed plan satisfy neither one, at least not in the way an assessor actually checks.

What CMMC asks of your people

Level 2 aligns to the 110 practices of NIST SP 800-171, and sitting among the technical controls are a couple that are squarely about human readiness. The Awareness and Training family requires you to make your people aware of security risks and train them on their specific roles. The Incident Response family goes further than “have a plan”: practice 3.6.3 requires you to test the organizational incident response capability. Not document it. Test it. That’s a verb an auditor can ask you to evidence.

Why the checklist is the default

The checklist is the obvious answer, and for good reasons. A lot of CMMC is genuine technical implementation, and a self-assessment or a tabletop template produces the artefact a C3PAO assessor expects to see. If the goal were to show that an IR plan exists, the template would be enough. But the practice doesn’t ask whether a plan exists. It asks whether the capability works.

A tested capability is not a filed plan

An incident response plan nobody has run is a set of assumptions about how your team will behave during a breach involving controlled unclassified information. Who declares the incident. Who talks to the prime contractor and to the government. Whether the runbook still matches the systems you have now. You don’t find those gaps by reviewing the document, and neither does the assessor. You find them by running it under pressure, before a real incident and a real audit find them for you.

What testing your IR capability looks like

It looks like the team working a real incident, making the calls, and living with the consequences on the table instead of in production. That’s what Malware & Monsters does. It’s a tabletop incident response game where the scenario changes because of what the team decides, so you’re exercising the capability CMMC 3.6.3 asks you to test, not narrating a plan. It has been run with security teams across Europe and North America, and it sits in the wider serious games catalogue alongside my other facilitated tabletop exercises.

CMMC is US defense contracting today, but the same NIST 800-171 backbone is about to reach every federal contractor under the proposed FAR CUI rule. The readiness problem is also exactly the one the EU is now legislating for its own entities. If you operate on both sides of the Atlantic, the EU equivalents are in game-based training for EU cyber regulation.

Frequently asked questions

Does CMMC require incident response testing?

Yes. CMMC Level 2 aligns to NIST SP 800-171, and practice 3.6.3 requires you to test the organizational incident response capability, not just document a plan.

Does CMMC require security training?

Yes. The Awareness and Training practices require you to make personnel aware of security risks and train them on their assigned security roles and responsibilities.

What is CMMC Level 2?

Level 2 is the Advanced level of CMMC 2.0, aligned to the 110 practices of NIST SP 800-171, required for contractors that handle Controlled Unclassified Information, and assessed by a third party for most.

Can a game help with CMMC compliance?

A game does not certify you, but it directly serves the human practices CMMC checks: it tests your incident response capability and trains your people on their roles, which is exactly what a tabletop like Malware & Monsters is built to do.

Want to put this in front of your team?

I run these as games your board and your responders actually take part in, not another slideshow. Tell me where your team is and what they need to practise, and we will set it up.

No cookies here

Notice there’s no cookie banner here.
That’s intentional and the site is still GDPR-compliant. I chose to avoid cookies and stick to basic, privacy-friendly stats.
My analytics are cookieless: self-hosted Plausible (EU) and PostHog in cookieless mode, with your IP anonymized. No cross-site tracking, nothing that identifies you.
The one cookie I can set does the opposite of every other cookie: it tells my stats to ignore you completely, and you only get it if you ask.

Everybody wins.