Handrails
CMMC Level 2 · C3PAO assessments mandatory November 2026

Contracts depend on your CMMC certification. Your certification depends on the evidence.

CMMC Level 2 incident response controls require evidence of a live, practiced exercise, not just a documented plan.

What if the entire exercise, from scenario to assessor-ready report, took less than 60 minutes? You could run it this week.

Get startedSee how it works

Mapped to CMMC Level 2 · NIST SP 800-171 · DFARS 7012

Report · flow-down ready
Live
Report · CMMC 3.6.3 · Q2Ready
Endpoint isolationSub-10-minute containment
CUI access reviewLog aggregation took 3h
Prime flow-downNotified inside SLA
DIBNet submissionCredentials unclear; owner missing
Named-participant logReady for C3PAO review
What's changed

Why now

01

The cost of getting it wrong

The assessment finding isn't a remediation plan. It's a failed certification. A failed certification means the contract goes to someone else. For many contractors in the DIB, that's more than a setback. It can be existential.

02

The clock is already running

CMMC Level 2 requirements are already appearing in new DoD contracts. From November 2026, it will be mandatory to get a C3PAO assessment before you can win work. IR testing is where many contractors find gaps. You have months, not years to close it.

03

Annual testing is the floor, not the ceiling

IR.L2-3.6.3 requires at least annual testing, but threat actors targeting CUI don't operate on your compliance calendar. Primes are increasingly expecting continuous readiness from their subs, not just annual compliance.

Says who

What your C3PAO assessor is looking for

Every exercise maps to a specific control your C3PAO assessor will check, producing the evidence your prime, your contracting officer and your assessor are all asking for.
IR.L2-3.6.1
Incident ResponseDoD / CMMC-AB
Ongoing capability
CMMC Level 2 · IR.L2-3.6.1

3.6.1 requires an operational incident-handling capability. That means documented processes, defined roles, and a team that knows what to do when CUI is compromised. A C3PAO assessor won't just check the documentation. They'll look for evidence the capability is real and practiced, not just written down.

If skipped: C3PAO finding. No demonstrable IR capability. Contract eligibility at risk.
IR.L2-3.6.2
Incident ResponseDoD / CMMC-AB
On occurrence
CMMC Level 2 · IR.L2-3.6.2

3.6.2 requires that incidents involving CUI are tracked, documented and reported to appropriate authorities. Your assessor will look for evidence that the right people know what to capture, when to escalate, and who to notify. A tabletop exercise is how you demonstrate that process has been rehearsed before it's needed.

If skipped: C3PAO finding. No evidence of incident tracking and reporting process. Contract eligibility at risk.
IR.L2-3.6.3
Incident ResponseDoD / CMMC-AB
At least annually
CMMC Level 2 · IR.L2-3.6.3

3.6.3 is the testing control, and the one assessors check most directly. It requires the IR capability to be tested at least annually. A dated, named after-action report from a live exercise is what a C3PAO needs to mark this control as Met. Without it, the control is open regardless of how strong your documentation is.

If skipped: C3PAO finding. No evidence of tested IR capability. Contract eligibility at risk.
Also available

Don't see your framework?

Handrails covers more than CMMC Level 2. If your framework is listed here, or you don't see it at all, let us know.

  • FedRAMP (US)
    Cloud systems supporting federal agencies require IR testing as part of the ATO process. Also relevant for FISMA-obligated agencies and contractors under NIST SP 800-53 IR-3, and GovRAMP for state and local government.
  • Essential Eight / DISP (AU)
    Australian government and defense suppliers face equivalent requirements.
  • Cyber Essentials Plus (UK)
    UK government and MoD suppliers. Security posture assessment with overlapping IR expectations.
Interested in any of these, or don't see yours? Let us know
How it works

From scenario to C3PAO-ready report, in under 60 minutes.

Weeks of planning. Hours of facilitation. Days more for the report. Handrails compresses the whole thing into under 60 minutes.
1Context in
Context
RoleDefense subcontractor
LevelCMMC Level 2
ClauseNIST 800-171 · 3.6.3
PrimeTier-1 defense OEM
CUI boundaryGCC-High + on-prem
CadenceQuarterly mini
RoleDefense subcontractor
LevelCMMC Level 2
ClauseNIST 800-171 · 3.6.3
PrimeTier-1 defense OEM
CUI boundaryGCC-High + on-prem
CadenceQuarterly mini
DFARS clock72 hours to DoD
RolesISSM · IR · prime liaison
PlanIRP mapped to 800-171
EvidenceSSP · POA&M packet
ReviewerC3PAO · prime CISO
SystemsCUI enclave · secure dev
DFARS clock72 hours to DoD
RolesISSM · IR · prime liaison
PlanIRP mapped to 800-171
EvidenceSSP · POA&M packet
ReviewerC3PAO · prime CISO
SystemsCUI enclave · secure dev

Built around your context

Answer a few questions about your setup, including whether you're a prime or sub, your CUI scope, even upload your existing IR plan. The scenario is custom generated from your context, not pulled from a generic library.

2Virtual session
Live · virtual47:32
Holly, the Handrails AI agent, facilitating a session
Speaking
Holly · Handrails AI
Reem · ISSM
Jordan · Prime liaison
Transcript
Holly

Run it live, virtually

Your team joins a video call. A fictitious but realistic CUI incident unfolds. Each person makes the decisions they would actually make. The session is recorded. That recording is your evidence trail.

3Report out
Report · CMMC 3.6.3 · Q2Ready
Endpoint isolationSub-10-minute containment
CUI access reviewLog aggregation took 3h
Prime flow-downNotified inside SLA
DIBNet submissionCredentials unclear; owner missing
Named-participant logReady for C3PAO review

The report is ready before you close the call

A C3PAO-ready after-action report is generated from the session. Dated. Named. Mapped to IR.L2-3.6.1, 3.6.2 and 3.6.3. Hand it to your assessor, your prime or your contracting officer. Done.

Example scenarios

Tailored, not templated

Every scenario is generated from your context, not chosen from a library. Based on your frameworks, tech stack, vulnerability areas, even the plans and policies you upload. Three lightweight examples below.
01Scenario

CUI exfiltration via compromised VPN

An engineer's creds are phished. The 72-hour DFARS 7012 clock starts. Who notifies DoD and with what?

02Scenario

Prime contractor flow-down breach

Your prime reports an incident. Your obligation to cooperate, preserve evidence and re-attest runs on a tight clock.

03Scenario

Quarterly mini: phishing to lateral movement

Short-form exercise satisfying the cadence CMMC recommends. 30 minutes, five roles, full evidence packet.

Prime contractors

Turn flow-down obligations into a competitive advantage.

Under 32 CFR §170.23, primes must verify sub-contractor CMMC compliance before sharing CUI. The primes that get ahead of this don't just check the box. They give their subs a fast, affordable path to C3PAO-ready IR evidence, maintain visibility across the supply chain, and arrive at every contract with a compliant network already in place.

Talk to us about your supply chain →
Partner with Handrails

Make IR testing the easiest part of every CMMC engagement.

For most RPOs, MSSPs and vCISOs working in the DIB, IR testing is one of the most time-consuming deliverables in a CMMC readiness engagement. Days of scenario prep, hours of facilitation, more hours producing a C3PAO-ready report. Handrails can now carry that load for you. Stay in the advisory role your clients need you in, run more engagements, and earn on every session.
Revenue share, every cycle
Get paid on every session your clients run.
Client visibility
See which clients have run exercises, when they last tested and where the gaps are, without chasing status updates.
Evidence requests, handled
Your clients arrive at assessment with C3PAO-ready IR evidence already documented. Less back and forth. Faster assessments.
Already working withRPOs and CMMC consultantsMSSPs serving the DIBC3PAOsDefense primes
Partner with Handrails

The C3PAO assessment is coming. Your IR evidence needs to be ready first.

Sign up, pick a scenario, invite the team. The report is ready before the session ends.

Get startedSee how it works