A Practical CMMC Tabletop Template for Microsoft 365 Incidents

A generic tabletop won’t help me in a CMMC assessment or during a real Microsoft 365 incident. It also won’t help when an Entra ID admin starts approving MFA prompts at 7:12 a.m. and nobody knows who should act first.

For CMMC Level 2 readiness, I want a session that tests real decisions under time pressure. The template below is the format I use when I need a CMMC tabletop exercise template that my team can adapt right away.

Why this exercise matters for CMMC Level 2

For Level 2, incident response testing is not optional. I anchor my exercise to IR.L2-3.6.3 in the DoD CMMC Level 2 assessment guide and the DIB SCC explanation of incident response testing. Both point to the same outcome: I need to test whether the organization can respond, not whether it can read a policy out loud.

That matters more in Microsoft 365 because incidents cross tools fast. A compromised Entra ID account touches identity, Exchange, SharePoint, OneDrive, endpoint telemetry, and sometimes contractual reporting. If my team can’t move from detection to containment with clear ownership, the weakness is already there.

I map the session back to NIST SP 800-171 and NIST SP 800-61 concepts, detect, analyze, contain, recover, and learn. I also keep Microsoft incident response planning guidance nearby so the discussion matches real admin actions and evidence sources. A tabletop exercise alone does not satisfy compliance, but it gives me proof that the plan is testable, the team understands it, and gaps are tracked to closure.

What I document before the exercise

Set the scope, assumptions, and success criteria

Before the meeting starts, I define the exact tenant, users, data, and business process in scope. If the scenario involves CUI in SharePoint or OneDrive, I name the site collection, owner, data type, and expected retention or logging sources. If the incident starts from email, I note which mailbox, which admin roles exist, and whether Defender for Office 365 or Microsoft Defender XDR is available.

I also write down the assumptions. This is a discussion exercise, not a live response. No one changes production settings. No one contacts a customer or regulator during the session. If the team wants to assume logging gaps, staffing limits, or after-hours timing, I state that up front so nobody wastes time arguing about imaginary access.

Assign roles and prep materials

Next, I assign roles before anyone enters the room. I want a facilitator, a scribe, an incident commander, an Entra ID admin, an Exchange admin, a SharePoint or OneDrive admin, a security lead, and a business owner. For defense contractors, I also include contracts, compliance, and leadership contacts if reporting or customer communication could come up.

I keep this prep list short and reusable:

• Record the date, duration, facilitator, and note taker.
• Name the primary scenario and one backup inject.
• List all participants and each person’s role.
• Define what counts as a good outcome.
• Note the systems, logs, and tools the team may reference.
• Identify reporting triggers, including any 72-hour decision path if DFARS reporting could apply.
• Save the incident plan, contact list, and org chart with the exercise record.

If nobody owns the decision to disable an account, revoke sessions, or preserve logs, I know the session is already paying for itself.

Microsoft 365 scenarios worth testing

I get the best value when I run one realistic primary incident and add one or two injects that change the picture mid-session.

Here is the matrix I use most often:

| Scenario | What I want the team to prove | Evidence I ask for | | | | | | Compromised Entra ID account | Who disables the account, revokes tokens, checks sign-in risk, and validates admin role exposure | Entra sign-in logs, audit logs, Identity Protection alerts | | Business email compromise with a malicious inbox rule | Who reviews mail flow, searches for the rule, scopes impacted recipients, and blocks follow-on phishing | Exchange admin audit, message trace, mailbox audit logs | | SharePoint or OneDrive data exposure | Who finds the shared files, removes access, preserves evidence, and checks whether CUI moved externally | Unified audit log, sharing links, site permissions, file activity | | MFA fatigue attack | Who confirms prompt abuse, changes auth requirements, and determines if the attacker already got in | Sign-in logs, MFA detail, conditional access results | | Suspicious OAuth or app consent | Who revokes consent, reviews granted scopes, finds affected users, and checks persistence | Entra enterprise app logs, consent records, audit logs |

After I pick the scenario, I confirm which logs are assumed available. Microsoft’s Entra CMMC Level 2 control notes and the Microsoft technical reference guide for CMMC v2 help me line up those evidence sources with Microsoft 365 control ownership.

My reusable CMMC tabletop exercise template

Use this structure every time

I don’t reinvent the format. I reuse the same seven sections and swap in a new scenario.

1. Record the exercise basics. I capture the name of the exercise, date, facilitator, participants, in-scope tenant, and whether the scenario touches CUI, FCI, or both.
2. Write a one-paragraph incident narrative. I describe what happened, when it was detected, how it was first reported, and what the team knows at minute zero.
3. Build a timeline with injects. I use time stamps such as 08:05, 08:20, and 08:45. Then I add injects like “user reports missing mail,” “OAuth consent granted to unknown app,” or “leadership asks if CUI left the tenant.”
4. Define decision points. I force the team to say who has authority to disable the account, revoke sessions, isolate the endpoint, remove an inbox rule, block external sharing, or revoke app consent.
5. Capture communications. I note who tells the user, who briefs leadership, who talks to the prime contractor or customer, and who decides whether contractual reporting is triggered.
6. Capture containment and evidence. I ask which logs are reviewed, who exports them, where they are stored, and how screenshots, tickets, message headers, or audit records are preserved.
7. End with recovery and corrective action. I document what must be reset, restored, monitored, or reconfigured, and who owns the follow-up with a due date.

If my team can’t name the owner for account disablement, evidence capture, and reporting decisions, the exercise has found a real gap.

During the session, I keep the pressure realistic. I usually run it for 60 to 90 minutes, and I insist that the scribe records exact decisions, not loose summaries. That gives me a usable artifact for training, assessment prep, and process fixes.

What I capture after the exercise

The session is only useful if I turn notes into tracked action. My after-action record includes the scenario, attendance list, timeline, major decisions, missing information, evidence gaps, and corrective actions with owners and due dates. I also note where the team made a good call fast, because repeatable strengths matter too.

Most corrective actions are practical. I may tighten Conditional Access, review admin role assignments, limit user consent, enable stronger mailbox auditing, or improve log retention. If the incident started from a device, I usually tie the fix back to Endpoint Security and Device Hardening, because identity incidents often start on the endpoint.

I use the same discipline across Small Business IT, Cloud Infrastructure, Office 365 Migration, and Cloud Management work. It also carries into Data Center Technology, Restaurant POS Support, and Kitchen Technology Solutions, because weak identity control hurts every connected system. For an MSP or internal team that wants a real Business Technology Partner, this is where Cybersecurity Services, Technology Consulting, Infrastructure Optimization, Digital Transformation, IT Strategy for SMBs, Tailored Technology Services, Innovative IT Solutions, Secure Cloud Architecture, Managed IT for Small Business, and Business Continuity & Security turn into concrete actions instead of service-page promises.

Conclusion

A strong CMMC tabletop exercise template does one job well: it exposes the gap between the incident plan on paper and the first 30 minutes of real response. When I build the session around Microsoft 365 evidence, decision owners, and timed injects, that gap becomes visible fast.

The best version is not elaborate. It is specific, documented, and honest enough to show where the team hesitates. That is the point, because the exercise that reveals the weakness is the one that gives me something I can fix before the real incident arrives.