CP-8(4): Provider Contingency Plan

Control Family:

Contingency Planning

CSF v1.1 References:

Threats Addressed:


  • High

Next Version:

Control Statement

The organization:

  1. Requires primary and alternate telecommunications service providers to have contingency plans;
  2. Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
  3. Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency].

Supplemental Guidance

Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training.