CMMC Practice IR.5.110: Perform unannounced operational exercises to demonstrate technical and procedural responses.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
This practice requires a company to be able to plan and initiate an incident response exercise without the incident response team knowing it is going to happen. This is not about planning an IR test with all parties involved. The purpose of this practice is to test the IR team and the solutions, without a priori knowledge so the incident will help identify gaps in the current procedure or technical solutions. All findings should be used within a feedback loop to improve the IR procedures and to identify any technical shortfalls. This feedback will help the organization prioritize the changes towards future modification.