CP - Contingency Planning
- Controls Count: 17
- Controls IDs: CP-2 (1), CP-2 (3), CP-2 (8), CP-4 (1), CP-6, CP-6 (1), CP-6 (3), CP-7, CP-7 (1), CP-7 (2), CP-7 (3), CP-8, CP-8 (1), CP-8 (2), CP-9 (1), CP-9 (8), CP-10 (2)
Controls
CP-2 (1): Coordinate with Related Plans
Coordinate contingency plan development with organizational elements responsible for related plans.
Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Data Breach Response Plans, Cyber Incident Response Plans, Breach Response Plans, and Occupant Emergency Plans.
contingency plan development is coordinated with organizational elements responsible for related plans.
Contingency planning policy
procedures addressing contingency operations for the system
contingency plan
business contingency plans
disaster recovery plans
continuity of operations plans
crisis communications plans
critical infrastructure plans
cyber incident response plan
insider threat implementation plans
occupant emergency plans
system security plan
other relevant documents or records
Organizational personnel with contingency planning and plan implementation responsibilities
organizational personnel with information security responsibilities
personnel with responsibility for related plans
CP-2 (3): Resume Mission and Business Functions
Plan for the resumption of alloressential mission and business functions within the contingency plan activation time period within which to resume mission and business functions is defined; of contingency plan activation.
Organizations may choose to conduct contingency planning activities to resume mission and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of mission and business functions. The time period for resuming mission and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure.
the resumption of alloressential mission and business functions are planned for within the contingency plan activation time period within which to resume mission and business functions is defined; of contingency plan activation.
Contingency planning policy
procedures addressing contingency operations for the system
contingency plan
business impact assessment
system security plan
privacy plan
other related plans
system security plan
other relevant documents or records
Organizational personnel with contingency planning and plan implementation responsibilities
organizational personnel with information security and privacy responsibilities
organizational personnel with knowledge of requirements for mission and business functions
Organizational processes for resumption of missions and business functions
CP-2 (8): Identify Critical Assets
Identify critical system assets supporting alloressential mission and business functions.
Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so that additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational mission and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (i.e., manually executed operations) and personnel (i.e., individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing CP-2(7) as a control enhancement.
critical system assets supporting alloressential mission and business functions are identified.
Contingency planning policy
procedures addressing contingency operations for the system
contingency plan
business impact assessment
system security plan
other relevant documents or records
Organizational personnel with contingency planning and plan implementation responsibilities
organizational personnel with knowledge of requirements for mission and business functions
organizational personnel with information security responsibilities
CP-4 (1): Coordinate with Related Plans
Coordinate contingency plan testing with organizational elements responsible for related plans.
Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. However, it does require that if such organizational elements are responsible for related plans, organizations coordinate with those elements.
contingency plan testing is coordinated with organizational elements responsible for related plans.
Contingency planning policy
incident response policy
procedures addressing contingency plan testing
contingency plan testing documentation
contingency plan
business continuity plans
disaster recovery plans
continuity of operations plans
crisis communications plans
critical infrastructure plans
cyber incident response plans
occupant emergency plans
system security plan
other relevant documents or records
Organizational personnel with contingency plan testing responsibilities
personnel with responsibilities for related plans
organizational personnel with information security responsibilities
CP-6: Alternate Storage Site
Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and
Ensure that the alternate storage site provides controls equivalent to that of the primary site.
Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems.
an alternate storage site is established;
establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;
the alternate storage site provides controls equivalent to that of the primary site.
Contingency planning policy
procedures addressing alternate storage sites
contingency plan
alternate storage site agreements
primary storage site agreements
system security plan
other relevant documents or records
Organizational personnel with contingency plan alternate storage site responsibilities
organizational personnel with system recovery responsibilities
organizational personnel with information security responsibilities
Organizational processes for storing and retrieving system backup information at the alternate storage site
mechanisms supporting and/or implementing the storage and retrieval of system backup information at the alternate storage site
CP-6 (1): Separation from Primary Site
Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.
Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant.
an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.
Contingency planning policy
procedures addressing alternate storage sites
contingency plan
alternate storage site
alternate storage site agreements
primary storage site agreements
system security plan
other relevant documents or records
Organizational personnel with contingency plan alternate storage site responsibilities
organizational personnel with system recovery responsibilities
organizational personnel with information security responsibilities
CP-6 (3): Accessibility
Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.
Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted.
potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;
explicit mitigation actions to address identified accessibility problems are outlined.
Contingency planning policy
procedures addressing alternate storage sites
contingency plan
alternate storage site
list of potential accessibility problems to alternate storage site
mitigation actions for accessibility problems to alternate storage site
organizational risk assessments
system security plan
other relevant documents or records
Organizational personnel with contingency plan alternate storage site responsibilities
organizational personnel with system recovery responsibilities
organizational personnel with information security responsibilities
CP-7: Alternate Processing Site
Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of system operations for essential mission and business functions are defined; for essential mission and business functions within time period consistent with recovery time and recovery point objectives is defined; when the primary processing capabilities are unavailable;
Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and
Provide controls at the alternate processing site that are equivalent to those at the primary site.
Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems.
an alternate processing site, including necessary agreements to permit the transfer and resumption of system operations for essential mission and business functions are defined; for essential mission and business functions, is established within time period consistent with recovery time and recovery point objectives is defined; when the primary processing capabilities are unavailable;
the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within time period consistent with recovery time and recovery point objectives is defined; for transfer;
the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within time period consistent with recovery time and recovery point objectives is defined; for resumption;
controls provided at the alternate processing site are equivalent to those at the primary site.
Contingency planning policy
procedures addressing alternate processing sites
contingency plan
alternate processing site agreements
primary processing site agreements
spare equipment and supplies inventory at alternate processing site
equipment and supply contracts
service-level agreements
system security plan
other relevant documents or records
Organizational personnel with responsibilities for contingency planning and/or alternate site arrangements
organizational personnel with information security responsibilities
Organizational processes for recovery at the alternate site
mechanisms supporting and/or implementing recovery at the alternate processing site
CP-7 (1): Separation from Primary Site
Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.
Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant.
an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.
Contingency planning policy
procedures addressing alternate processing sites
contingency plan
alternate processing site
alternate processing site agreements
primary processing site agreements
system security plan
other relevant documents or records
Organizational personnel with contingency plan alternate processing site responsibilities
organizational personnel with system recovery responsibilities
organizational personnel with information security responsibilities
CP-7 (2): Accessibility
Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk.
potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;
explicit mitigation actions to address identified accessibility problems are outlined.
Contingency planning policy
procedures addressing alternate processing sites
contingency plan
alternate processing site
alternate processing site agreements
primary processing site agreements
system security plan
other relevant documents or records
Organizational personnel with contingency plan alternate processing site responsibilities
organizational personnel with system recovery responsibilities
organizational personnel with information security responsibilities
CP-7 (3): Priority of Service
Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).
Priority of service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning.
alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.
Contingency planning policy
procedures addressing alternate processing sites
contingency plan
alternate processing site agreements
service-level agreements
system security plan
other relevant documents or records
Organizational personnel with contingency plan alternate processing site responsibilities
organizational personnel with system recovery responsibilities
organizational personnel with information security responsibilities
organizational personnel with responsibility for acquisitions/contractual agreements
CP-8: Telecommunications Services
Establish alternate telecommunications services, including necessary agreements to permit the resumption of system operations to be resumed for essential mission and business functions are defined; for essential mission and business functions within time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined; when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for CP-8 . Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.
alternate telecommunications services, including necessary agreements to permit the resumption of system operations to be resumed for essential mission and business functions are defined; , are established for essential mission and business functions within time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined; when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
Contingency planning policy
procedures addressing alternate telecommunications services
contingency plan
primary and alternate telecommunications service agreements
system security plan
other relevant documents or records
Organizational personnel with contingency plan telecommunications responsibilities
organizational personnel with system recovery responsibilities
organizational personnel with knowledge of requirements for mission and business functions
organizational personnel with information security responsibilities
organizational personnel with responsibility for acquisitions/contractual agreements
Mechanisms supporting telecommunications
CP-8 (1): Priority of Service Provisions
Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and
Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.
Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority of service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program, and the Department of Homeland Security manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program.
primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;
alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;
Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.
Contingency planning policy
procedures addressing primary and alternate telecommunications services
contingency plan
primary and alternate telecommunications service agreements
Telecommunications Service Priority documentation
system security plan
other relevant documents or records
Organizational personnel with contingency plan telecommunications responsibilities
organizational personnel with system recovery responsibilities
organizational personnel with information security responsibilities
organizational personnel with responsibility for acquisitions/contractual agreements
Mechanisms supporting telecommunications
CP-8 (2): Single Points of Failure
Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.
In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services.
alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.
Contingency planning policy
procedures addressing primary and alternate telecommunications services
contingency plan
primary and alternate telecommunications service agreements
system security plan
other relevant documents or records
Organizational personnel with contingency plan telecommunications responsibilities
organizational personnel with system recovery responsibilities
primary and alternate telecommunications service providers
organizational personnel with information security responsibilities
CP-9 (1): Testing for Reliability and Integrity
Test backup information organization-defined frequency to verify media reliability and information integrity.
Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance.
backup information is tested frequency at which to test backup information for media reliability is defined; to verify media reliability;
backup information is tested frequency at which to test backup information for information integrity is defined; to verify information integrity.
Contingency planning policy
procedures addressing system backup
contingency plan
system backup test results
contingency plan test documentation
contingency plan test results
system security plan
other relevant documents or records
Organizational personnel with system backup responsibilities
organizational personnel with information security responsibilities
Organizational processes for conducting system backups
mechanisms supporting and/or implementing system backups
CP-9 (8): Cryptographic Protection
Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of backup information to protect against unauthorized disclosure and modification is defined;.
The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. Cryptographic protection applies to system backup information in storage at both primary and alternate locations. Organizations that implement cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions.
cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of backup information to protect against unauthorized disclosure and modification is defined;.
Contingency planning policy
procedures addressing system backup
contingency plan
system design documentation
system configuration settings and associated documentation
system security plan
other relevant documents or records
Organizational personnel with system backup responsibilities
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing cryptographic protection of backup information
CP-10 (2): Transaction Recovery
Implement transaction recovery for systems that are transaction-based.
Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling.
transaction recovery is implemented for systems that are transaction-based.
Contingency planning policy
procedures addressing system recovery and reconstitution
contingency plan
system design documentation
system configuration settings and associated documentation
contingency plan test documentation
contingency plan test results
system transaction recovery records
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibility for transaction recovery
organizational personnel with information security responsibilities
Mechanisms supporting and/or implementing transaction recovery capability