CP-4: Contingency Plan Testing
Control Family:
Next Version:
- NIST Special Publication 800-53 Revision 5:
- CP-4: Contingency Plan Testing
Control Statement
The organization:
- Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
- Reviews the contingency plan test results; and
- Initiates corrective actions, if needed.
Supplemental Guidance
Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.
Control Enhancements
CP-4(1): Coordinate With Related Plans
Baseline(s):
- Moderate
- High
The organization coordinates contingency plan testing with organizational elements responsible for related plans.
CP-4(2): Alternate Processing Site
Baseline(s):
- High
The organization tests the contingency plan at the alternate processing site: To familiarize contingency personnel with the facility and available resources; and To evaluate the capabilities of the alternate processing site to support contingency operations.
CP-4(3): Automated Testing
Baseline(s):
The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan.
CP-4(4): Full Recovery / Reconstitution
Baseline(s):
The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing.