Customized Contingency Planning (CP) and Incident Response (IR) Tabletop exercises (TTX) for Department of Defense (DoD) Contractors
Arlington offers customized tabletop exercises for both Incident Response and Contingency planning for Department of Defense (DoD) contractors implementing the NIST Risk Management Framework (RMF). Today’s DoD compliance requirements for DoD contractors require that annual testing be conducted for two (2) critical control domains within the NIST RMF – Incident Response (IR) and Contingency Planning (CP). Even without strict regulatory compliance mandates, undertaking annual testing for these critical areas is a best practice every DoD contractor should be performing.
Why Tabletop Exercises for Incident Response (IR) and Contingency Planning (CP)
As defined by the United States Department of Homeland Security, “Tabletop exercises are discussion-based sessions where team members meet in an informal, classroom setting to discuss their roles during an emergency and their responses to a particular emergency situation. A facilitator guides participants through a discussion of one or more scenarios. The duration of a tabletop exercise depends on the audience, the topic being exercised and the exercise objectives.”
Key to the success of a tabletop exercise is being open and transparent, and not trying to find compensating controls for policies, procedures, and processes that potentially may be clearly missing. When performed properly, organizations will benefit tremendously from such exercises. Furthermore, one of the biggest reasons for performing tabletop exercise is not having to incur considerable time, costs, and other issues when doing “real-life” testing, or other more labor-intensive IR and CP testing.
Benefits of Tabletop Exercises for Incident Response and Contingency Planning
Per the NIST RMF, testing is required for both the IR and CP domains, therefore, the most efficient means of sufficing for testing is performing tabletop exercises, which have the following benefits:
Increases overall awareness of potential issues and threats against the organization.
Clarifies roles and responsibilities when an incident or disaster occurs.
Identifies deficiencies in both your IR and CP programs.
Ultimately, validates both your IR and CP programs, giving you the confidence that your organization knows how to respond.