Contingency Planning (CP)¶

• a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
  • 1. [Selection: one or more of: organization-level; mission/business process-level; system-level] contingency planning policy that:
    • (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    • (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
  • 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;
• b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and
• c. Review and update the current contingency planning:
  • 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
  • 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Develop a contingency plan for the system that:
  • 1. Identifies essential mission and business functions and associated contingency requirements;
  • 2. Provides recovery objectives, restoration priorities, and metrics;
  • 3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
  • 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;
  • 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;
  • 6. Addresses the sharing of contingency information; and
  • 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
• b. Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
• c. Coordinate contingency planning activities with incident handling activities;
• d. Review the contingency plan for the system [Assignment: organization-defined frequency];
• e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
• f. Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
• g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and
• h. Protect the contingency plan from unauthorized disclosure and modification.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Coordinate contingency plan development with organizational elements responsible for related plans.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Plan for the resumption of [Selection: one of: all; essential] mission and business functions within [Assignment: organization-defined time period] of contingency plan activation.

External Link for Additional Information: myctrl.tools

Plan for the continuance of [Selection: one of: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Plan for the transfer of [Selection: one of: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Identify critical system assets supporting [Selection: one of: all; essential] mission and business functions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Provide contingency training to system users consistent with assigned roles and responsibilities:
  • 1. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
  • 2. When required by system changes; and
  • 3. [Assignment: organization-defined frequency] thereafter; and
• b. Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests].
• b. Review the contingency plan test results; and
• c. Initiate corrective actions, if needed.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Coordinate contingency plan testing with organizational elements responsible for related plans.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Test the contingency plan at the alternate processing site:

• (a) To familiarize contingency personnel with the facility and available resources; and
• (b) To evaluate the capabilities of the alternate processing site to support contingency operations.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Test the contingency plan using [Assignment: organization-defined automated mechanisms].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ [Assignment: organization-defined mechanisms] to [Assignment: organization-defined system or system component] to disrupt and adversely affect the system or system component.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and
• b. Ensure that the alternate storage site provides controls equivalent to that of the primary site.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary processing capabilities are unavailable;
• b. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and
• c. Provide controls at the alternate processing site that are equivalent to those at the primary site.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.

External Link for Additional Information: myctrl.tools

Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Plan and prepare for circumstances that preclude returning to the primary processing site.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and
• (b) Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Require primary and alternate telecommunications service providers to have contingency plans;
• (b) Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and
• (c) Obtain evidence of contingency testing and training by providers [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Test alternate telecommunication services [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency];
• b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency];
• c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency]; and
• d. Protect the confidentiality, integrity, and availability of backup information.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Test backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Enforce dual authorization for the deletion or destruction of [Assignment: organization-defined backup information].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement transaction recovery for systems that are transaction-based.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Provide the capability to restore system components within [Assignment: organization-defined restoration time periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components.

External Link for Additional Information: myctrl.tools

Protect system components used for recovery and reconstitution.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Provide the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

When [Assignment: organization-defined conditions] are detected, enter a safe mode of operation with [Assignment: organization-defined restrictions].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ [Assignment: organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools