Regulatory Toolkit

CMMC 2.0 Defense Contractor
Tabletop Exercise Toolkit

CMMC 2.0 (Cybersecurity Maturity Model Certification) requires defense contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) to demonstrate cybersecurity practices across 3 levels — 17 practices at Level 1 through 110+ practices at Level 3. Skyhigh tabletop exercises validate your Incident Response (IR) domain practices and generate assessment-ready evidence across all 14 CMMC 2.0 practice domains.

Start Free Today → View Pricing Contact Sales 🎯 Take the Free CMMC 2.0 Readiness Assessment →
⚠️ CMMC 2.0 certification requires assessment by a C3PAO (CMMC Third-Party Assessor Organization) for Level 2+, or self-assessment for Level 1. This toolkit is for exercise program design only and does not constitute CMMC certification or assessment.
3 Levels
Foundational → Advanced → Expert
110 Practices
CMMC Level 2 (NIST 800-171)
14 Domains
Practice Domain Coverage
Defense Industrial Base
Sector
Understanding CMMC 2.0 Requirements
CMMC 2.0 establishes a unified cybersecurity standard for the Defense Industrial Base — protecting FCI and CUI across a three-level maturity framework rooted in NIST SP 800-171.
🛡️
Three CMMC 2.0 Levels
Level 1 — Foundational (17 practices): Basic cyber hygiene protecting FCI. Annual self-assessment. Level 2 — Advanced (110 practices): NIST SP 800-171 practices protecting CUI. Triennial C3PAO assessment (or annual self-assessment for some contracts). Level 3 — Expert (110+ practices): NIST SP 800-172 for advanced APT defense. Government-led assessment. Most DIB contractors seeking DoD contracts require Level 2 certification.
🎯
Incident Response Domain (IR) — Most Exercise-Relevant
The IR domain (CMMC Level 2 Practice 3.6.1–3.6.2) requires: establishing an operational incident-handling capability (3.6.1) and tracking, documenting, and reporting incidents (3.6.2). Tabletop exercises directly validate 3.6.1 and produce the documentation required by 3.6.2. Every Skyhigh exercise generates an AAR that serves as 3.6.2 evidence — documenting that incidents were handled, tracked, and reported.
📊
Cross-Domain Exercise Coverage
While IR is most exercise-direct, tabletop exercises generate evidence across multiple CMMC domains: AT (Awareness & Training — 3.2.1), CA (Security Assessment — 3.12.3), CM (Configuration Management gaps surface in scenarios), RA (Risk Assessment — 3.11.1), and SC (System & Comms — network segmentation gaps). One exercise session generates multi-domain assessment evidence.
CMMC 2.0 Practice Domain Mapping
How Skyhigh tabletop exercises map to CMMC 2.0 practice domains — from the core IR domain through supporting domains where exercises generate assessment-relevant evidence.
CMMC Practice Domain Key Practices Skyhigh Coverage Evidence Generated
IR — Incident Response 3.6.1 IR capability, 3.6.2 Incident tracking/reporting Core Exercise = direct IR capability test; AAR = 3.6.2 tracking/documentation evidence
AT — Awareness & Training 3.2.1 Awareness training, 3.2.2 Role-based training Core Each exercise = AT training event evidence; role-specific scenario design
CA — Security Assessment 3.12.1 Assess periodically, 3.12.3 Remediate deficiencies Direct Post-exercise gap analysis; remediation tracking from AAR findings
RA — Risk Assessment 3.11.1 Risk assessment, 3.11.2 Vulnerability scan Direct Threat scenario mapping validates risk assessment; attack vector identification
CM — Configuration Mgmt 3.4.1 Baseline, 3.4.2 Config changes Supporting Configuration gap findings from scenarios (default passwords, unpatched systems)
SC — System & Comms 3.13.1 Comms monitoring, 3.13.3 Network segmentation Direct Lateral movement scenarios test segmentation; network segmentation gap analysis
AC — Access Control 3.1.1 Authorized users, 3.1.2 Privileged users Direct Credential theft and insider threat scenarios test access control practices
SI — System & Info Integrity 3.14.1 Flaw remediation, 3.14.6 Security alerting Supporting Alert effectiveness validation; flaw response testing in scenarios
CMMC Exercise Program Features
Purpose-built capabilities for defense contractors building CMMC 2.0 assessment-ready incident response programs and POA&M-integrated exercise documentation.
🛡️
CMMC Assessment-Ready Evidence Package
CMMC Level 2 C3PAO assessors look for evidence of an operational incident-handling capability (3.6.1) and incident tracking documentation (3.6.2). Skyhigh generates a dated exercise completion record, participant list, scenario summary, gap findings, and remediation plan — structured specifically as CMMC IR domain assessment evidence.
3.6.1 Evidence 3.6.2 Documentation C3PAO Ready Assessment Package
📊
Plan of Action & Milestones (POA&M) Integration
CMMC assessors expect to see a POA&M documenting known deficiencies and remediation timelines. Skyhigh exercise AARs feed directly into POA&M — gap findings from exercises become documented deficiencies with remediation commitments and closure dates. Demonstrate active POA&M management by linking exercise findings to remediation tracking.
POA&M Gap Tracking Remediation Timeline Closure Evidence
🎯
CUI Protection Scenario Library
CMMC's core mission is protecting Controlled Unclassified Information (CUI). Skyhigh's defense-sector scenario library — CUI exfiltration, defense supply chain compromise, APT contractor attack, subcontractor credential theft — tests your CUI protection practices under realistic attack conditions representing actual DIB threat actors (APT41, Volt Typhoon).
CUI Protection DIB Scenarios APT Scenarios Supply Chain
Defense Industrial Base Scenario Library
Six defense-sector tabletop scenarios aligned to CMMC 2.0 practice domains and real-world DIB threat actors. All scenarios available on Pro and Team plans.
CUI · EXFILTRATION
CUI Data Exfiltration — Controlled Technical Data Theft
Nation-state actor exfiltrates controlled unclassified information (CUI) including technical drawings and contract documents from a Tier-1 defense contractor. Tests CUI protection practices (3.1.22), data loss detection, DCSA/DoD reporting obligations, and incident handling capability (3.6.1).
3.6.1 3.1.22 CUI
SUPPLY CHAIN · APT
Defense Supply Chain Compromise — Tier-2 Subcontractor Breach
A Tier-2 subcontractor's systems are compromised and used as a pivot point to access prime contractor networks. Tests supply chain risk (3.11.3), subcontractor security requirements, access revocation procedures, and CUI exposure assessment across the supply chain.
3.11.3 Supply Chain Access Control
APT · PERSISTENT
Advanced Persistent Threat — Long-Dwell Defense Network Intrusion
A nation-state adversary (APT profile) establishes persistent access to a defense contractor's engineering network for 8 months before discovery. Tests detection capabilities (3.14.6), forensic investigation procedures, DCSA reporting, and determining the scope of potential CUI exposure.
3.14.6 3.6.2 APT
CREDENTIAL · THEFT
Subcontractor Credential Theft — FCI System Unauthorized Access
Phishing attack against a subcontractor employee yields credentials that provide access to FCI-containing systems. Tests access control practices (3.1.1, 3.1.2), multi-factor authentication gaps, privileged access review, and incident handling procedures for third-party credential compromise.
3.1.1 3.1.2 Phishing
MANUFACTURING · RANSOMWARE
Defense Manufacturing Ransomware — Production Disruption
Ransomware encrypts manufacturing execution systems at a defense component manufacturer, disrupting production of critical DoD parts. Tests contingency planning (3.6.1), system recovery procedures, DoD contracting officer notification, and production continuity while maintaining CUI protection during recovery.
3.6.1 BCP DoD Notification
ASSESSMENT · PREP
CMMC Level 2 Assessment Preparation Tabletop
Structured tabletop exercise simulating a CMMC C3PAO assessment interview — teams walk through all 14 domains, identify documentation gaps, discuss POA&M items, and practice articulating security practices to external assessors. Identifies evidence gaps before the official assessment.
C3PAO Prep All Domains POA&M Assessment
Evidence Artifacts Generated Per Exercise
Every Skyhigh defense exercise produces structured documentation artifacts aligned to CMMC 2.0 IR, AT, CA, and RA practice domains — ready for C3PAO assessors and internal POA&M management.
🛡️
IR Domain Practice Record
3.6.1 operational IR capability evidence + 3.6.2 incident tracking documentation
🎓
AT Domain Training Evidence
3.2.1 awareness training record — dated exercise completion with participants
📋
POA&M Gap Input
Exercise gap findings formatted for Plan of Action & Milestones integration
📊
CA Domain Assessment Evidence
3.12.3 deficiency remediation tracking — closed findings from prior exercises

Explore the Full Regulatory Toolkit Library

Skyhigh exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

🏛️ CISA CTEP ⚡ NERC CIP 🇪🇺 NIS2 Directive 🇺🇸 NIST CSF 2.0 ⚙️ IEC 62443 🏭 NIST SP 800-82 🏦 DORA ✈️ TSA Directives 🏥 HIPAA / HC3 🛡️ CMMC 2.0 🌐 ISO 27001 🔴 CISA CPG

Start Building Your CMMC 2.0 Exercise Program

CMMC IR domain requires an operational incident-handling capability. Demonstrate it with documented exercises. Free to start.

Start Free Today → View Pricing Contact Sales