- Determines mean time to failure (MTTF) for [Assignment: organization-defined information system components] in specific environments of operation; and
- Provides substitute information system components and a means to exchange active and standby components at [Assignment: organization-defined MTTF substitution criteria].
While MTTF is primarily a reliability issue, this control addresses potential failures of specific information system components that provide security capability. Failure rates reflect installation-specific consideration, not industry-average. Organizations define criteria for substitution of information system components based on MTTF value with consideration for resulting potential harm from component failures. Transfer of responsibilities between active and standby components does not compromise safety, operational readiness, or security capability (e.g., preservation of state variables). Standby components remain available at all times except for maintenance issues or recovery failures in progress.
The organization takes information system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure.
The organization manually initiates transfers between active and standby information system components [Assignment: organization-defined frequency] if the mean time to failure exceeds [Assignment: organization-defined time period].
The organization, if information system component failures are detected: Ensures that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and [Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system].
The organization provides [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the information system.