CP - Contingency Planning
- Controls Count: 6
- Controls IDs: CP-1, CP-2, CP-3, CP-4, CP-9, CP-10
Controls
CP-1: Policy and Procedures
Develop, document, and disseminate to organization-defined personnel or roles:
organization-level, mission/business process-level, and/or system-level contingency planning policy that:
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;
Designate an an official to manage the contingency planning policy and procedures is defined; to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and
Review and update the current contingency planning:
Policy the frequency at which the current contingency planning policy is reviewed and updated is defined; and following events that would require the current contingency planning policy to be reviewed and updated are defined; ; and
Procedures the frequency at which the current contingency planning procedures are reviewed and updated is defined; and following events that would require procedures to be reviewed and updated are defined;.
Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
a contingency planning policy is developed and documented;
the contingency planning policy is disseminated to personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;;
contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;
the contingency planning procedures are disseminated to personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;;
the organization-level, mission/business process-level, and/or system-level contingency planning policy addresses purpose;
the organization-level, mission/business process-level, and/or system-level contingency planning policy addresses scope;
the organization-level, mission/business process-level, and/or system-level contingency planning policy addresses roles;
the organization-level, mission/business process-level, and/or system-level contingency planning policy addresses responsibilities;
the organization-level, mission/business process-level, and/or system-level contingency planning policy addresses management commitment;
the organization-level, mission/business process-level, and/or system-level contingency planning policy addresses coordination among organizational entities;
the organization-level, mission/business process-level, and/or system-level contingency planning policy addresses compliance;
the organization-level, mission/business process-level, and/or system-level contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
the an official to manage the contingency planning policy and procedures is defined; is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;
the current contingency planning policy is reviewed and updated the frequency at which the current contingency planning policy is reviewed and updated is defined;;
the current contingency planning policy is reviewed and updated following events that would require the current contingency planning policy to be reviewed and updated are defined;;
the current contingency planning procedures are reviewed and updated the frequency at which the current contingency planning procedures are reviewed and updated is defined;;
the current contingency planning procedures are reviewed and updated following events that would require procedures to be reviewed and updated are defined;.
Contingency planning policy and procedures
system security plan
privacy plan
other relevant documents or records
Organizational personnel with contingency planning responsibilities
organizational personnel with information security and privacy responsibilities
CP-2: Contingency Plan
Develop a contingency plan for the system that:
Identifies essential mission and business functions and associated contingency requirements;
Provides recovery objectives, restoration priorities, and metrics;
Addresses contingency roles, responsibilities, assigned individuals with contact information;
Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;
Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;
Addresses the sharing of contingency information; and
Is reviewed and approved by organization-defined personnel or roles;
Distribute copies of the contingency plan to organization-defined key contingency personnel (identified by name and/or by role) and organizational elements;
Coordinate contingency planning activities with incident handling activities;
Review the contingency plan for the system frequency of contingency plan review is defined;;
Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
Communicate contingency plan changes to organization-defined key contingency personnel (identified by name and/or by role) and organizational elements;
Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and
Protect the contingency plan from unauthorized disclosure and modification.
Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.
Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in IR-4(5) . Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family.
a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;
a contingency plan for the system is developed that provides recovery objectives;
a contingency plan for the system is developed that provides restoration priorities;
a contingency plan for the system is developed that provides metrics;
a contingency plan for the system is developed that addresses contingency roles;
a contingency plan for the system is developed that addresses contingency responsibilities;
a contingency plan for the system is developed that addresses assigned individuals with contact information;
a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;
a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;
a contingency plan for the system is developed that addresses the sharing of contingency information;
a contingency plan for the system is developed that is reviewed by personnel or roles to review a contingency plan is/are defined;;
a contingency plan for the system is developed that is approved by personnel or roles to approve a contingency plan is/are defined;;
copies of the contingency plan are distributed to key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined;;
copies of the contingency plan are distributed to key contingency organizational elements to which copies of the contingency plan are distributed are defined;;
contingency planning activities are coordinated with incident handling activities;
the contingency plan for the system is reviewed frequency of contingency plan review is defined;;
the contingency plan is updated to address changes to the organization, system, or environment of operation;
the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;
contingency plan changes are communicated to key contingency personnel (identified by name and/or by role) to communicate changes to are defined;;
contingency plan changes are communicated to key contingency organizational elements to communicate changes to are defined;;
lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;
lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;
the contingency plan is protected from unauthorized disclosure;
the contingency plan is protected from unauthorized modification.
Contingency planning policy
procedures addressing contingency operations for the system
contingency plan
evidence of contingency plan reviews and updates
system security plan
other relevant documents or records
Organizational personnel with contingency planning and plan implementation responsibilities
organizational personnel with incident handling responsibilities
organizational personnel with knowledge of requirements for mission and business functions
organizational personnel with information security responsibilities
Organizational processes for contingency plan development, review, update, and protection
mechanisms for developing, reviewing, updating, and/or protecting the contingency plan
CP-3: Contingency Training
Provide contingency training to system users consistent with assigned roles and responsibilities:
Within the time period within which to provide contingency training after assuming a contingency role or responsibility is defined; of assuming a contingency role or responsibility;
When required by system changes; and
frequency at which to provide training to system users with a contingency role or responsibility is defined; thereafter; and
Review and update contingency training content frequency at which to review and update contingency training content is defined; and following events necessitating review and update of contingency training are defined;.
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements.
contingency training is provided to system users consistent with assigned roles and responsibilities within the time period within which to provide contingency training after assuming a contingency role or responsibility is defined; of assuming a contingency role or responsibility;
contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;
contingency training is provided to system users consistent with assigned roles and responsibilities frequency at which to provide training to system users with a contingency role or responsibility is defined; thereafter;
the contingency plan training content is reviewed and updated frequency at which to review and update contingency training content is defined;;
the contingency plan training content is reviewed and updated following events necessitating review and update of contingency training are defined;.
Contingency planning policy
procedures addressing contingency training
contingency plan
contingency training curriculum
contingency training material
contingency training records
system security plan
other relevant documents or records
Organizational personnel with contingency planning, plan implementation, and training responsibilities
organizational personnel with information security responsibilities
Organizational processes for contingency training
CP-4: Contingency Plan Testing
Test the contingency plan for the system frequency of testing the contingency plan for the system is defined; using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: organization-defined tests.
Review the contingency plan test results; and
Initiate corrective actions, if needed.
Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.
the contingency plan for the system is tested frequency of testing the contingency plan for the system is defined;;
tests for determining the effectiveness of the contingency plan are defined; are used to determine the effectiveness of the plan;
tests for determining readiness to execute the contingency plan are defined; are used to determine the readiness to execute the plan;
the contingency plan test results are reviewed;
corrective actions are initiated, if needed.
Contingency planning policy
procedures addressing contingency plan testing
contingency plan
contingency plan test documentation
contingency plan test results
system security plan
other relevant documents or records
Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests
organizational personnel with information security responsibilities
Organizational processes for contingency plan testing
mechanisms supporting the contingency plan and/or contingency plan testing
CP-9: System Backup
Conduct backups of user-level information contained in system components for which to conduct backups of user-level information is defined; frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;;
Conduct backups of system-level information contained in the system frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;;
Conduct backups of system documentation, including security- and privacy-related documentation frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined; ; and
Protect the confidentiality, integrity, and availability of backup information.
System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8 . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.
backups of user-level information contained in system components for which to conduct backups of user-level information is defined; are conducted frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;;
backups of system-level information contained in the system are conducted frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;;
backups of system documentation, including security- and privacy-related documentation are conducted frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;;
the confidentiality of backup information is protected;
the integrity of backup information is protected;
the availability of backup information is protected.
Contingency planning policy
procedures addressing system backup
contingency plan
backup storage location(s)
system backup logs or records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with system backup responsibilities
organizational personnel with information security and privacy responsibilities
Organizational processes for conducting system backups
mechanisms supporting and/or implementing system backups
CP-10: System Recovery and Reconstitution
Provide for the recovery and reconstitution of the system to a known state within organization-defined time period consistent with recovery time and recovery point objectives after a disruption, compromise, or failure.
Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning.
the recovery of the system to a known state is provided within time period consistent with recovery time and recovery point objectives for the recovery of the system is determined; after a disruption, compromise, or failure;
a reconstitution of the system to a known state is provided within time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined; after a disruption, compromise, or failure.
Contingency planning policy
procedures addressing system backup
contingency plan
system backup test results
contingency plan test results
contingency plan test documentation
redundant secondary system for system backups
location(s) of redundant secondary backup system(s)
system security plan
other relevant documents or records
Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities
organizational personnel with information security responsibilities
Organizational processes implementing system recovery and reconstitution operations
mechanisms supporting and/or implementing system recovery and reconstitution operations