CP - Contingency Planning

  • Controls Count: 35
  • Controls IDs: CP-1, CP-2, CP-2 (1), CP-2 (2), CP-2 (3), CP-2 (5), CP-2 (8), CP-3, CP-3 (1), CP-4, CP-4 (1), CP-4 (2), CP-6, CP-6 (1), CP-6 (2), CP-6 (3), CP-7, CP-7 (1), CP-7 (2), CP-7 (3), CP-7 (4), CP-8, CP-8 (1), CP-8 (2), CP-8 (3), CP-8 (4), CP-9, CP-9 (1), CP-9 (2), CP-9 (3), CP-9 (5), CP-9 (8), CP-10, CP-10 (2), CP-10 (4)

Controls

CP-1: Policy and Procedures

Develop, document, and disseminate to organization-defined personnel or roles:

organization-level, mission/business process-level, and/or system-level contingency planning policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;

Designate an an official to manage the contingency planning policy and procedures is defined; to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and

Review and update the current contingency planning:

Policy the frequency at which the current contingency planning policy is reviewed and updated is defined; and following events that would require the current contingency planning policy to be reviewed and updated are defined; ; and

Procedures the frequency at which the current contingency planning procedures are reviewed and updated is defined; and following events that would require procedures to be reviewed and updated are defined;.

Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

a contingency planning policy is developed and documented;

the contingency planning policy is disseminated to personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;;

contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;

the contingency planning procedures are disseminated to personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;;

the organization-level, mission/business process-level, and/or system-level contingency planning policy addresses purpose;

the organization-level, mission/business process-level, and/or system-level contingency planning policy addresses scope;

the organization-level, mission/business process-level, and/or system-level contingency planning policy addresses roles;

the organization-level, mission/business process-level, and/or system-level contingency planning policy addresses responsibilities;

the organization-level, mission/business process-level, and/or system-level contingency planning policy addresses management commitment;

the organization-level, mission/business process-level, and/or system-level contingency planning policy addresses coordination among organizational entities;

the organization-level, mission/business process-level, and/or system-level contingency planning policy addresses compliance;

the organization-level, mission/business process-level, and/or system-level contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

the an official to manage the contingency planning policy and procedures is defined; is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;

the current contingency planning policy is reviewed and updated the frequency at which the current contingency planning policy is reviewed and updated is defined;;

the current contingency planning policy is reviewed and updated following events that would require the current contingency planning policy to be reviewed and updated are defined;;

the current contingency planning procedures are reviewed and updated the frequency at which the current contingency planning procedures are reviewed and updated is defined;;

the current contingency planning procedures are reviewed and updated following events that would require procedures to be reviewed and updated are defined;.

Contingency planning policy and procedures

system security plan

privacy plan

other relevant documents or records

Organizational personnel with contingency planning responsibilities

organizational personnel with information security and privacy responsibilities

CP-2: Contingency Plan

Develop a contingency plan for the system that:

Identifies essential mission and business functions and associated contingency requirements;

Provides recovery objectives, restoration priorities, and metrics;

Addresses contingency roles, responsibilities, assigned individuals with contact information;

Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;

Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;

Addresses the sharing of contingency information; and

Is reviewed and approved by organization-defined personnel or roles;

Distribute copies of the contingency plan to organization-defined key contingency personnel (identified by name and/or by role) and organizational elements;

Coordinate contingency planning activities with incident handling activities;

Review the contingency plan for the system frequency of contingency plan review is defined;;

Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

Communicate contingency plan changes to organization-defined key contingency personnel (identified by name and/or by role) and organizational elements;

Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and

Protect the contingency plan from unauthorized disclosure and modification.

Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.

Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in IR-4(5) . Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family.

a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;

a contingency plan for the system is developed that provides recovery objectives;

a contingency plan for the system is developed that provides restoration priorities;

a contingency plan for the system is developed that provides metrics;

a contingency plan for the system is developed that addresses contingency roles;

a contingency plan for the system is developed that addresses contingency responsibilities;

a contingency plan for the system is developed that addresses assigned individuals with contact information;

a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;

a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;

a contingency plan for the system is developed that addresses the sharing of contingency information;

a contingency plan for the system is developed that is reviewed by personnel or roles to review a contingency plan is/are defined;;

a contingency plan for the system is developed that is approved by personnel or roles to approve a contingency plan is/are defined;;

copies of the contingency plan are distributed to key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined;;

copies of the contingency plan are distributed to key contingency organizational elements to which copies of the contingency plan are distributed are defined;;

contingency planning activities are coordinated with incident handling activities;

the contingency plan for the system is reviewed frequency of contingency plan review is defined;;

the contingency plan is updated to address changes to the organization, system, or environment of operation;

the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;

contingency plan changes are communicated to key contingency personnel (identified by name and/or by role) to communicate changes to are defined;;

contingency plan changes are communicated to key contingency organizational elements to communicate changes to are defined;;

lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;

lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;

the contingency plan is protected from unauthorized disclosure;

the contingency plan is protected from unauthorized modification.

Contingency planning policy

procedures addressing contingency operations for the system

contingency plan

evidence of contingency plan reviews and updates

system security plan

other relevant documents or records

Organizational personnel with contingency planning and plan implementation responsibilities

organizational personnel with incident handling responsibilities

organizational personnel with knowledge of requirements for mission and business functions

organizational personnel with information security responsibilities

Organizational processes for contingency plan development, review, update, and protection

mechanisms for developing, reviewing, updating, and/or protecting the contingency plan

Coordinate contingency plan development with organizational elements responsible for related plans.

Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Data Breach Response Plans, Cyber Incident Response Plans, Breach Response Plans, and Occupant Emergency Plans.

contingency plan development is coordinated with organizational elements responsible for related plans.

Contingency planning policy

procedures addressing contingency operations for the system

contingency plan

business contingency plans

disaster recovery plans

continuity of operations plans

crisis communications plans

critical infrastructure plans

cyber incident response plan

insider threat implementation plans

occupant emergency plans

system security plan

other relevant documents or records

Organizational personnel with contingency planning and plan implementation responsibilities

organizational personnel with information security responsibilities

personnel with responsibility for related plans

CP-2 (2): Capacity Planning

Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

Capacity planning is needed because different threats can result in a reduction of the available processing, telecommunications, and support services intended to support essential mission and business functions. Organizations anticipate degraded operations during contingency operations and factor the degradation into capacity planning. For capacity planning, environmental support refers to any environmental factor for which the organization determines that it needs to provide support in a contingency situation, even if in a degraded state. Such determinations are based on an organizational assessment of risk, system categorization (impact level), and organizational risk tolerance.

capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;

capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;

capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support.

Contingency planning policy

procedures addressing contingency operations for the system

contingency plan

capacity planning documents

system security plan

other relevant documents or records

Organizational personnel with contingency planning and plan implementation responsibilities

organizational personnel responsible for capacity planning

organizational personnel with information security responsibilities

CP-2 (3): Resume Mission and Business Functions

Plan for the resumption of alloressential mission and business functions within the contingency plan activation time period within which to resume mission and business functions is defined; of contingency plan activation.

Organizations may choose to conduct contingency planning activities to resume mission and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of mission and business functions. The time period for resuming mission and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure.

the resumption of alloressential mission and business functions are planned for within the contingency plan activation time period within which to resume mission and business functions is defined; of contingency plan activation.

Contingency planning policy

procedures addressing contingency operations for the system

contingency plan

business impact assessment

system security plan

privacy plan

other related plans

system security plan

other relevant documents or records

Organizational personnel with contingency planning and plan implementation responsibilities

organizational personnel with information security and privacy responsibilities

organizational personnel with knowledge of requirements for mission and business functions

Organizational processes for resumption of missions and business functions

CP-2 (5): Continue Mission and Business Functions

Plan for the continuance of alloressential mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.

Organizations may choose to conduct the contingency planning activities to continue mission and business functions as part of business continuity planning or business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency.

the continuance of alloressential mission and business functions with minimal or no loss of operational continuity is planned for;

continuity is sustained until full system restoration at primary processing and/or storage sites.

Contingency planning policy

procedures addressing contingency operations for the system

contingency plan

business impact assessment

primary processing site agreements

primary storage site agreements

alternate processing site agreements

alternate storage site agreements

contingency plan test documentation

contingency plan test results

system security plan

other relevant documents or records

Organizational personnel with contingency planning and plan implementation responsibilities

organizational personnel with knowledge of requirements for mission and business functions

organizational personnel with information security responsibilities

Organizational processes for continuing missions and business functions

CP-2 (8): Identify Critical Assets

Identify critical system assets supporting alloressential mission and business functions.

Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so that additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational mission and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (i.e., manually executed operations) and personnel (i.e., individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing CP-2(7) as a control enhancement.

critical system assets supporting alloressential mission and business functions are identified.

Contingency planning policy

procedures addressing contingency operations for the system

contingency plan

business impact assessment

system security plan

other relevant documents or records

Organizational personnel with contingency planning and plan implementation responsibilities

organizational personnel with knowledge of requirements for mission and business functions

organizational personnel with information security responsibilities

CP-3: Contingency Training

Provide contingency training to system users consistent with assigned roles and responsibilities:

Within the time period within which to provide contingency training after assuming a contingency role or responsibility is defined; of assuming a contingency role or responsibility;

When required by system changes; and

frequency at which to provide training to system users with a contingency role or responsibility is defined; thereafter; and

Review and update contingency training content frequency at which to review and update contingency training content is defined; and following events necessitating review and update of contingency training are defined;.

Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements.

contingency training is provided to system users consistent with assigned roles and responsibilities within the time period within which to provide contingency training after assuming a contingency role or responsibility is defined; of assuming a contingency role or responsibility;

contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;

contingency training is provided to system users consistent with assigned roles and responsibilities frequency at which to provide training to system users with a contingency role or responsibility is defined; thereafter;

the contingency plan training content is reviewed and updated frequency at which to review and update contingency training content is defined;;

the contingency plan training content is reviewed and updated following events necessitating review and update of contingency training are defined;.

Contingency planning policy

procedures addressing contingency training

contingency plan

contingency training curriculum

contingency training material

contingency training records

system security plan

other relevant documents or records

Organizational personnel with contingency planning, plan implementation, and training responsibilities

organizational personnel with information security responsibilities

Organizational processes for contingency training

CP-3 (1): Simulated Events

Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.

The use of simulated events creates an environment for personnel to experience actual threat events, including cyber-attacks that disable websites, ransomware attacks that encrypt organizational data on servers, hurricanes that damage or destroy organizational facilities, or hardware or software failures.

simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations.

Contingency planning policy

procedures addressing contingency training

contingency plan

contingency training curriculum

contingency training material

system security plan

other relevant documents or records

Organizational personnel with contingency planning, plan implementation, and training responsibilities

organizational personnel with information security responsibilities

Organizational processes for contingency training

mechanisms for simulating contingency events

CP-4: Contingency Plan Testing

Test the contingency plan for the system frequency of testing the contingency plan for the system is defined; using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: organization-defined tests.

Review the contingency plan test results; and

Initiate corrective actions, if needed.

Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

the contingency plan for the system is tested frequency of testing the contingency plan for the system is defined;;

tests for determining the effectiveness of the contingency plan are defined; are used to determine the effectiveness of the plan;

tests for determining readiness to execute the contingency plan are defined; are used to determine the readiness to execute the plan;

the contingency plan test results are reviewed;

corrective actions are initiated, if needed.

Contingency planning policy

procedures addressing contingency plan testing

contingency plan

contingency plan test documentation

contingency plan test results

system security plan

other relevant documents or records

Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests

organizational personnel with information security responsibilities

Organizational processes for contingency plan testing

mechanisms supporting the contingency plan and/or contingency plan testing

Coordinate contingency plan testing with organizational elements responsible for related plans.

Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. However, it does require that if such organizational elements are responsible for related plans, organizations coordinate with those elements.

contingency plan testing is coordinated with organizational elements responsible for related plans.

Contingency planning policy

incident response policy

procedures addressing contingency plan testing

contingency plan testing documentation

contingency plan

business continuity plans

disaster recovery plans

continuity of operations plans

crisis communications plans

critical infrastructure plans

cyber incident response plans

occupant emergency plans

system security plan

other relevant documents or records

Organizational personnel with contingency plan testing responsibilities

personnel with responsibilities for related plans

organizational personnel with information security responsibilities

CP-4 (2): Alternate Processing Site

Test the contingency plan at the alternate processing site:

To familiarize contingency personnel with the facility and available resources; and

To evaluate the capabilities of the alternate processing site to support contingency operations.

Conditions at the alternate processing site may be significantly different than the conditions at the primary site. Having the opportunity to visit the alternate site and experience the actual capabilities available at the site can provide valuable information on potential vulnerabilities that could affect essential organizational mission and business functions. The on-site visit can also provide an opportunity to refine the contingency plan to address the vulnerabilities discovered during testing.

the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;

the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.

Contingency planning policy

procedures addressing contingency plan testing

contingency plan

contingency plan test documentation

contingency plan test results

alternate processing site agreements

service-level agreements

system security plan

other relevant documents or records

Organizational personnel with contingency planning and plan implementation responsibilities

organizational personnel with information security responsibilities

Organizational processes for contingency plan testing

mechanisms supporting the contingency plan and/or contingency plan testing

CP-6: Alternate Storage Site

Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and

Ensure that the alternate storage site provides controls equivalent to that of the primary site.

Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems.

an alternate storage site is established;

establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;

the alternate storage site provides controls equivalent to that of the primary site.

Contingency planning policy

procedures addressing alternate storage sites

contingency plan

alternate storage site agreements

primary storage site agreements

system security plan

other relevant documents or records

Organizational personnel with contingency plan alternate storage site responsibilities

organizational personnel with system recovery responsibilities

organizational personnel with information security responsibilities

Organizational processes for storing and retrieving system backup information at the alternate storage site

mechanisms supporting and/or implementing the storage and retrieval of system backup information at the alternate storage site

CP-6 (1): Separation from Primary Site

Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.

Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant.

an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.

Contingency planning policy

procedures addressing alternate storage sites

contingency plan

alternate storage site

alternate storage site agreements

primary storage site agreements

system security plan

other relevant documents or records

Organizational personnel with contingency plan alternate storage site responsibilities

organizational personnel with system recovery responsibilities

organizational personnel with information security responsibilities

CP-6 (2): Recovery Time and Recovery Point Objectives

Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

Organizations establish recovery time and recovery point objectives as part of contingency planning. Configuration of the alternate storage site includes physical facilities and the systems supporting recovery operations that ensure accessibility and correct execution.

the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;

the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives.

Contingency planning policy

procedures addressing alternate storage sites

contingency plan

alternate storage site

alternate storage site agreements

alternate storage site configurations

system security plan

other relevant documents or records

Organizational personnel with contingency plan testing responsibilities

organizational personnel with responsibilities for testing related plans

organizational personnel with information security responsibilities

Organizational processes for contingency plan testing

mechanisms supporting recovery time and point objectives

CP-6 (3): Accessibility

Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted.

potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;

explicit mitigation actions to address identified accessibility problems are outlined.

Contingency planning policy

procedures addressing alternate storage sites

contingency plan

alternate storage site

list of potential accessibility problems to alternate storage site

mitigation actions for accessibility problems to alternate storage site

organizational risk assessments

system security plan

other relevant documents or records

Organizational personnel with contingency plan alternate storage site responsibilities

organizational personnel with system recovery responsibilities

organizational personnel with information security responsibilities

CP-7: Alternate Processing Site

Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of system operations for essential mission and business functions are defined; for essential mission and business functions within time period consistent with recovery time and recovery point objectives is defined; when the primary processing capabilities are unavailable;

Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and

Provide controls at the alternate processing site that are equivalent to those at the primary site.

Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems.

an alternate processing site, including necessary agreements to permit the transfer and resumption of system operations for essential mission and business functions are defined; for essential mission and business functions, is established within time period consistent with recovery time and recovery point objectives is defined; when the primary processing capabilities are unavailable;

the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within time period consistent with recovery time and recovery point objectives is defined; for transfer;

the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within time period consistent with recovery time and recovery point objectives is defined; for resumption;

controls provided at the alternate processing site are equivalent to those at the primary site.

Contingency planning policy

procedures addressing alternate processing sites

contingency plan

alternate processing site agreements

primary processing site agreements

spare equipment and supplies inventory at alternate processing site

equipment and supply contracts

service-level agreements

system security plan

other relevant documents or records

Organizational personnel with responsibilities for contingency planning and/or alternate site arrangements

organizational personnel with information security responsibilities

Organizational processes for recovery at the alternate site

mechanisms supporting and/or implementing recovery at the alternate processing site

CP-7 (1): Separation from Primary Site

Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.

Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant.

an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.

Contingency planning policy

procedures addressing alternate processing sites

contingency plan

alternate processing site

alternate processing site agreements

primary processing site agreements

system security plan

other relevant documents or records

Organizational personnel with contingency plan alternate processing site responsibilities

organizational personnel with system recovery responsibilities

organizational personnel with information security responsibilities

CP-7 (2): Accessibility

Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk.

potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;

explicit mitigation actions to address identified accessibility problems are outlined.

Contingency planning policy

procedures addressing alternate processing sites

contingency plan

alternate processing site

alternate processing site agreements

primary processing site agreements

system security plan

other relevant documents or records

Organizational personnel with contingency plan alternate processing site responsibilities

organizational personnel with system recovery responsibilities

organizational personnel with information security responsibilities

CP-7 (3): Priority of Service

Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).

Priority of service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning.

alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.

Contingency planning policy

procedures addressing alternate processing sites

contingency plan

alternate processing site agreements

service-level agreements

system security plan

other relevant documents or records

Organizational personnel with contingency plan alternate processing site responsibilities

organizational personnel with system recovery responsibilities

organizational personnel with information security responsibilities

organizational personnel with responsibility for acquisitions/contractual agreements

CP-7 (4): Preparation for Use

Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions.

Site preparation includes establishing configuration settings for systems at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and logistical considerations are in place.

the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions.

Contingency planning policy

procedures addressing alternate processing sites

contingency plan

alternate processing site

alternate processing site agreements

alternate processing site configurations

system security plan

other relevant documents or records

Organizational personnel with contingency plan alternate processing site responsibilities

organizational personnel with system recovery responsibilities

organizational personnel with information security responsibilities

Mechanisms supporting and/or implementing recovery at the alternate processing site

CP-8: Telecommunications Services

Establish alternate telecommunications services, including necessary agreements to permit the resumption of system operations to be resumed for essential mission and business functions are defined; for essential mission and business functions within time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined; when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for CP-8 . Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.

alternate telecommunications services, including necessary agreements to permit the resumption of system operations to be resumed for essential mission and business functions are defined; , are established for essential mission and business functions within time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined; when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

Contingency planning policy

procedures addressing alternate telecommunications services

contingency plan

primary and alternate telecommunications service agreements

system security plan

other relevant documents or records

Organizational personnel with contingency plan telecommunications responsibilities

organizational personnel with system recovery responsibilities

organizational personnel with knowledge of requirements for mission and business functions

organizational personnel with information security responsibilities

organizational personnel with responsibility for acquisitions/contractual agreements

Mechanisms supporting telecommunications

CP-8 (1): Priority of Service Provisions

Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and

Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.

Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority of service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program, and the Department of Homeland Security manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program.

primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;

alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;

Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.

Contingency planning policy

procedures addressing primary and alternate telecommunications services

contingency plan

primary and alternate telecommunications service agreements

Telecommunications Service Priority documentation

system security plan

other relevant documents or records

Organizational personnel with contingency plan telecommunications responsibilities

organizational personnel with system recovery responsibilities

organizational personnel with information security responsibilities

organizational personnel with responsibility for acquisitions/contractual agreements

Mechanisms supporting telecommunications

CP-8 (2): Single Points of Failure

Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services.

alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.

Contingency planning policy

procedures addressing primary and alternate telecommunications services

contingency plan

primary and alternate telecommunications service agreements

system security plan

other relevant documents or records

Organizational personnel with contingency plan telecommunications responsibilities

organizational personnel with system recovery responsibilities

primary and alternate telecommunications service providers

organizational personnel with information security responsibilities

CP-8 (3): Separation of Primary and Alternate Providers

Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

Threats that affect telecommunications services are defined in organizational assessments of risk and include natural disasters, structural failures, cyber or physical attacks, and errors of omission or commission. Organizations can reduce common susceptibilities by minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services that meet the separation needs addressed in the risk assessment.

alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats.

Contingency planning policy

procedures addressing primary and alternate telecommunications services

contingency plan

primary and alternate telecommunications service agreements

alternate telecommunications service provider site

primary telecommunications service provider site

other relevant documents or records

Organizational personnel with contingency plan telecommunications responsibilities

organizational personnel with system recovery responsibilities

primary and alternate telecommunications service providers

organizational personnel with information security responsibilities

CP-8 (4): Provider Contingency Plan

Require primary and alternate telecommunications service providers to have contingency plans;

Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and

Obtain evidence of contingency testing and training by providers organization-defined frequency.

Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security and state and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training.

primary telecommunications service providers are required to have contingency plans;

alternate telecommunications service providers are required to have contingency plans;

provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;

evidence of contingency testing by providers is obtained frequency at which to obtain evidence of contingency testing by providers is defined;.

evidence of contingency training by providers is obtained frequency at which to obtain evidence of contingency training by providers is defined;.

Contingency planning policy

procedures addressing primary and alternate telecommunications services

contingency plan

provider contingency plans

evidence of contingency testing/training by providers

primary and alternate telecommunications service agreements

system security plan

other relevant documents or records

Organizational personnel with contingency planning, plan implementation, and testing responsibilities

primary and alternate telecommunications service providers

organizational personnel with information security responsibilities

organizational personnel with responsibility for acquisitions/contractual agreements

CP-9: System Backup

Conduct backups of user-level information contained in system components for which to conduct backups of user-level information is defined; frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;;

Conduct backups of system-level information contained in the system frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;;

Conduct backups of system documentation, including security- and privacy-related documentation frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined; ; and

Protect the confidentiality, integrity, and availability of backup information.

System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8 . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

backups of user-level information contained in system components for which to conduct backups of user-level information is defined; are conducted frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;;

backups of system-level information contained in the system are conducted frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;;

backups of system documentation, including security- and privacy-related documentation are conducted frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;;

the confidentiality of backup information is protected;

the integrity of backup information is protected;

the availability of backup information is protected.

Contingency planning policy

procedures addressing system backup

contingency plan

backup storage location(s)

system backup logs or records

system security plan

privacy plan

other relevant documents or records

Organizational personnel with system backup responsibilities

organizational personnel with information security and privacy responsibilities

Organizational processes for conducting system backups

mechanisms supporting and/or implementing system backups

CP-9 (1): Testing for Reliability and Integrity

Test backup information organization-defined frequency to verify media reliability and information integrity.

Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance.

backup information is tested frequency at which to test backup information for media reliability is defined; to verify media reliability;

backup information is tested frequency at which to test backup information for information integrity is defined; to verify information integrity.

Contingency planning policy

procedures addressing system backup

contingency plan

system backup test results

contingency plan test documentation

contingency plan test results

system security plan

other relevant documents or records

Organizational personnel with system backup responsibilities

organizational personnel with information security responsibilities

Organizational processes for conducting system backups

mechanisms supporting and/or implementing system backups

CP-9 (2): Test Restoration Using Sampling

Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing.

Organizations need assurance that system functions can be restored correctly and can support established organizational missions. To ensure that the selected system functions are thoroughly exercised during contingency plan testing, a sample of backup information is retrieved to determine whether the functions are operating as intended. Organizations can determine the sample size for the functions and backup information based on the level of assurance needed.

a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing.

Contingency planning policy

procedures addressing system backup

contingency plan

system backup test results

contingency plan test documentation

contingency plan test results

system security plan

other relevant documents or records

Organizational personnel with system backup responsibilities

organizational personnel with contingency planning/contingency plan testing responsibilities

organizational personnel with information security responsibilities

Organizational processes for conducting system backups

mechanisms supporting and/or implementing system backups

CP-9 (3): Separate Storage for Critical Information

Store backup copies of critical system software and other security-related information backups to be stored in a separate facility are defined; in a separate facility or in a fire rated container that is not collocated with the operational system.

Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components. Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire rated containers.

backup copies of critical system software and other security-related information backups to be stored in a separate facility are defined; are stored in a separate facility or in a fire rated container that is not collocated with the operational system.

Contingency planning policy

procedures addressing system backup

contingency plan

backup storage location(s)

system backup configurations and associated documentation

system backup logs or records

system security plan

other relevant documents or records

Organizational personnel with contingency planning and plan implementation responsibilities

organizational personnel with system backup responsibilities

organizational personnel with information security responsibilities

CP-9 (5): Transfer to Alternate Storage Site

Transfer system backup information to the alternate storage site organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives.

System backup information can be transferred to alternate storage sites either electronically or by the physical shipment of storage media.

system backup information is transferred to the alternate storage site for time period consistent with recovery time and recovery point objectives is defined;;

system backup information is transferred to the alternate storage site transfer rate consistent with recovery time and recovery point objectives is defined;.

Contingency planning policy

procedures addressing system backup

contingency plan

system backup logs or records

evidence of system backup information transferred to alternate storage site

alternate storage site agreements

system security plan

other relevant documents or records

Organizational personnel with system backup responsibilities

organizational personnel with information security responsibilities

Organizational processes for transferring system backups to the alternate storage site

mechanisms supporting and/or implementing system backups

mechanisms supporting and/or implementing information transfer to the alternate storage site

CP-9 (8): Cryptographic Protection

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of backup information to protect against unauthorized disclosure and modification is defined;.

The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. Cryptographic protection applies to system backup information in storage at both primary and alternate locations. Organizations that implement cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions.

cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of backup information to protect against unauthorized disclosure and modification is defined;.

Contingency planning policy

procedures addressing system backup

contingency plan

system design documentation

system configuration settings and associated documentation

system security plan

other relevant documents or records

Organizational personnel with system backup responsibilities

organizational personnel with information security responsibilities

Mechanisms supporting and/or implementing cryptographic protection of backup information

CP-10: System Recovery and Reconstitution

Provide for the recovery and reconstitution of the system to a known state within organization-defined time period consistent with recovery time and recovery point objectives after a disruption, compromise, or failure.

Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning.

the recovery of the system to a known state is provided within time period consistent with recovery time and recovery point objectives for the recovery of the system is determined; after a disruption, compromise, or failure;

a reconstitution of the system to a known state is provided within time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined; after a disruption, compromise, or failure.

Contingency planning policy

procedures addressing system backup

contingency plan

system backup test results

contingency plan test results

contingency plan test documentation

redundant secondary system for system backups

location(s) of redundant secondary backup system(s)

system security plan

other relevant documents or records

Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities

organizational personnel with information security responsibilities

Organizational processes implementing system recovery and reconstitution operations

mechanisms supporting and/or implementing system recovery and reconstitution operations

CP-10 (2): Transaction Recovery

Implement transaction recovery for systems that are transaction-based.

Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling.

transaction recovery is implemented for systems that are transaction-based.

Contingency planning policy

procedures addressing system recovery and reconstitution

contingency plan

system design documentation

system configuration settings and associated documentation

contingency plan test documentation

contingency plan test results

system transaction recovery records

system audit records

system security plan

other relevant documents or records

Organizational personnel with responsibility for transaction recovery

organizational personnel with information security responsibilities

Mechanisms supporting and/or implementing transaction recovery capability

CP-10 (4): Restore Within Time Period

Provide the capability to restore system components within restoration time period within which to restore system components to a known, operational state is defined; from configuration-controlled and integrity-protected information representing a known, operational state for the components.

Restoration of system components includes reimaging, which restores the components to known, operational states.

the capability to restore system components within restoration time period within which to restore system components to a known, operational state is defined; from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided.

Contingency planning policy

procedures addressing system recovery and reconstitution

contingency plan

system design documentation

system configuration settings and associated documentation

contingency plan test documentation

contingency plan test results

evidence of system recovery and reconstitution operations

system security plan

other relevant documents or records

Organizational personnel with system recovery and reconstitution responsibilities

organizational personnel with information security responsibilities

Mechanisms supporting and/or implementing the recovery/reconstitution of system information