CP - Contingency Planning
- Controls Count: 12
- Controls IDs: CP-2 (2), CP-2 (5), CP-3 (1), CP-4 (2), CP-6 (2), CP-7 (4), CP-8 (3), CP-8 (4), CP-9 (2), CP-9 (3), CP-9 (5), CP-10 (4)
Controls
CP-2 (2): Capacity Planning
Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.
Capacity planning is needed because different threats can result in a reduction of the available processing, telecommunications, and support services intended to support essential mission and business functions. Organizations anticipate degraded operations during contingency operations and factor the degradation into capacity planning. For capacity planning, environmental support refers to any environmental factor for which the organization determines that it needs to provide support in a contingency situation, even if in a degraded state. Such determinations are based on an organizational assessment of risk, system categorization (impact level), and organizational risk tolerance.
capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;
capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;
capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support.
Contingency planning policy
procedures addressing contingency operations for the system
contingency plan
capacity planning documents
system security plan
other relevant documents or records
Organizational personnel with contingency planning and plan implementation responsibilities
organizational personnel responsible for capacity planning
organizational personnel with information security responsibilities
CP-2 (5): Continue Mission and Business Functions
Plan for the continuance of alloressential mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.
Organizations may choose to conduct the contingency planning activities to continue mission and business functions as part of business continuity planning or business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency.
the continuance of alloressential mission and business functions with minimal or no loss of operational continuity is planned for;
continuity is sustained until full system restoration at primary processing and/or storage sites.
Contingency planning policy
procedures addressing contingency operations for the system
contingency plan
business impact assessment
primary processing site agreements
primary storage site agreements
alternate processing site agreements
alternate storage site agreements
contingency plan test documentation
contingency plan test results
system security plan
other relevant documents or records
Organizational personnel with contingency planning and plan implementation responsibilities
organizational personnel with knowledge of requirements for mission and business functions
organizational personnel with information security responsibilities
Organizational processes for continuing missions and business functions
CP-3 (1): Simulated Events
Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.
The use of simulated events creates an environment for personnel to experience actual threat events, including cyber-attacks that disable websites, ransomware attacks that encrypt organizational data on servers, hurricanes that damage or destroy organizational facilities, or hardware or software failures.
simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations.
Contingency planning policy
procedures addressing contingency training
contingency plan
contingency training curriculum
contingency training material
system security plan
other relevant documents or records
Organizational personnel with contingency planning, plan implementation, and training responsibilities
organizational personnel with information security responsibilities
Organizational processes for contingency training
mechanisms for simulating contingency events
CP-4 (2): Alternate Processing Site
Test the contingency plan at the alternate processing site:
To familiarize contingency personnel with the facility and available resources; and
To evaluate the capabilities of the alternate processing site to support contingency operations.
Conditions at the alternate processing site may be significantly different than the conditions at the primary site. Having the opportunity to visit the alternate site and experience the actual capabilities available at the site can provide valuable information on potential vulnerabilities that could affect essential organizational mission and business functions. The on-site visit can also provide an opportunity to refine the contingency plan to address the vulnerabilities discovered during testing.
the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;
the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.
Contingency planning policy
procedures addressing contingency plan testing
contingency plan
contingency plan test documentation
contingency plan test results
alternate processing site agreements
service-level agreements
system security plan
other relevant documents or records
Organizational personnel with contingency planning and plan implementation responsibilities
organizational personnel with information security responsibilities
Organizational processes for contingency plan testing
mechanisms supporting the contingency plan and/or contingency plan testing
CP-6 (2): Recovery Time and Recovery Point Objectives
Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.
Organizations establish recovery time and recovery point objectives as part of contingency planning. Configuration of the alternate storage site includes physical facilities and the systems supporting recovery operations that ensure accessibility and correct execution.
the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;
the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives.
Contingency planning policy
procedures addressing alternate storage sites
contingency plan
alternate storage site
alternate storage site agreements
alternate storage site configurations
system security plan
other relevant documents or records
Organizational personnel with contingency plan testing responsibilities
organizational personnel with responsibilities for testing related plans
organizational personnel with information security responsibilities
Organizational processes for contingency plan testing
mechanisms supporting recovery time and point objectives
CP-7 (4): Preparation for Use
Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions.
Site preparation includes establishing configuration settings for systems at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and logistical considerations are in place.
the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions.
Contingency planning policy
procedures addressing alternate processing sites
contingency plan
alternate processing site
alternate processing site agreements
alternate processing site configurations
system security plan
other relevant documents or records
Organizational personnel with contingency plan alternate processing site responsibilities
organizational personnel with system recovery responsibilities
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing recovery at the alternate processing site
CP-8 (3): Separation of Primary and Alternate Providers
Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.
Threats that affect telecommunications services are defined in organizational assessments of risk and include natural disasters, structural failures, cyber or physical attacks, and errors of omission or commission. Organizations can reduce common susceptibilities by minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services that meet the separation needs addressed in the risk assessment.
alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats.
Contingency planning policy
procedures addressing primary and alternate telecommunications services
contingency plan
primary and alternate telecommunications service agreements
alternate telecommunications service provider site
primary telecommunications service provider site
other relevant documents or records
Organizational personnel with contingency plan telecommunications responsibilities
organizational personnel with system recovery responsibilities
primary and alternate telecommunications service providers
organizational personnel with information security responsibilities
CP-8 (4): Provider Contingency Plan
Require primary and alternate telecommunications service providers to have contingency plans;
Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and
Obtain evidence of contingency testing and training by providers organization-defined frequency.
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security and state and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training.
primary telecommunications service providers are required to have contingency plans;
alternate telecommunications service providers are required to have contingency plans;
provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;
evidence of contingency testing by providers is obtained frequency at which to obtain evidence of contingency testing by providers is defined;.
evidence of contingency training by providers is obtained frequency at which to obtain evidence of contingency training by providers is defined;.
Contingency planning policy
procedures addressing primary and alternate telecommunications services
contingency plan
provider contingency plans
evidence of contingency testing/training by providers
primary and alternate telecommunications service agreements
system security plan
other relevant documents or records
Organizational personnel with contingency planning, plan implementation, and testing responsibilities
primary and alternate telecommunications service providers
organizational personnel with information security responsibilities
organizational personnel with responsibility for acquisitions/contractual agreements
CP-9 (2): Test Restoration Using Sampling
Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing.
Organizations need assurance that system functions can be restored correctly and can support established organizational missions. To ensure that the selected system functions are thoroughly exercised during contingency plan testing, a sample of backup information is retrieved to determine whether the functions are operating as intended. Organizations can determine the sample size for the functions and backup information based on the level of assurance needed.
a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing.
Contingency planning policy
procedures addressing system backup
contingency plan
system backup test results
contingency plan test documentation
contingency plan test results
system security plan
other relevant documents or records
Organizational personnel with system backup responsibilities
organizational personnel with contingency planning/contingency plan testing responsibilities
organizational personnel with information security responsibilities
Organizational processes for conducting system backups
mechanisms supporting and/or implementing system backups
CP-9 (3): Separate Storage for Critical Information
Store backup copies of critical system software and other security-related information backups to be stored in a separate facility are defined; in a separate facility or in a fire rated container that is not collocated with the operational system.
Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components. Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire rated containers.
backup copies of critical system software and other security-related information backups to be stored in a separate facility are defined; are stored in a separate facility or in a fire rated container that is not collocated with the operational system.
Contingency planning policy
procedures addressing system backup
contingency plan
backup storage location(s)
system backup configurations and associated documentation
system backup logs or records
system security plan
other relevant documents or records
Organizational personnel with contingency planning and plan implementation responsibilities
organizational personnel with system backup responsibilities
organizational personnel with information security responsibilities
CP-9 (5): Transfer to Alternate Storage Site
Transfer system backup information to the alternate storage site organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives.
System backup information can be transferred to alternate storage sites either electronically or by the physical shipment of storage media.
system backup information is transferred to the alternate storage site for time period consistent with recovery time and recovery point objectives is defined;;
system backup information is transferred to the alternate storage site transfer rate consistent with recovery time and recovery point objectives is defined;.
Contingency planning policy
procedures addressing system backup
contingency plan
system backup logs or records
evidence of system backup information transferred to alternate storage site
alternate storage site agreements
system security plan
other relevant documents or records
Organizational personnel with system backup responsibilities
organizational personnel with information security responsibilities
Organizational processes for transferring system backups to the alternate storage site
mechanisms supporting and/or implementing system backups
mechanisms supporting and/or implementing information transfer to the alternate storage site
CP-10 (4): Restore Within Time Period
Provide the capability to restore system components within restoration time period within which to restore system components to a known, operational state is defined; from configuration-controlled and integrity-protected information representing a known, operational state for the components.
Restoration of system components includes reimaging, which restores the components to known, operational states.
the capability to restore system components within restoration time period within which to restore system components to a known, operational state is defined; from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided.
Contingency planning policy
procedures addressing system recovery and reconstitution
contingency plan
system design documentation
system configuration settings and associated documentation
contingency plan test documentation
contingency plan test results
evidence of system recovery and reconstitution operations
system security plan
other relevant documents or records
Organizational personnel with system recovery and reconstitution responsibilities
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing the recovery/reconstitution of system information