CP: Contingency Planning

Controls

CP-1: Policy and Procedures

Baseline(s):

  • Low
  • Moderate
  • High

Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation…

CP-2: Contingency Plan

Baseline(s):

  • Low
  • Moderate
  • High

Develop a contingency plan for the system that: Identifies essential mission and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and metrics; Addresses contingency roles, responsibilities, assigned individuals with contact information; Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; Addresses eventual, full system restoration without deterioration…

CP-3: Contingency Training

Baseline(s):

  • Low
  • Moderate
  • High

Provide contingency training to system users consistent with assigned roles and responsibilities: Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; When required by system changes; and [Assignment: organization-defined frequency] thereafter; and Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

CP-4: Contingency Plan Testing

Baseline(s):

  • Low
  • Moderate
  • High

Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]. Review the contingency plan test results; and Initiate corrective actions, if needed.

CP-6: Alternate Storage Site

Baseline(s):

  • Moderate
  • High

Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and Ensure that the alternate storage site provides controls equivalent to that of the primary site.

CP-7: Alternate Processing Site

Baseline(s):

  • Moderate
  • High

Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; Make available at the alternate processing site, the equipment and…

CP-8: Telecommunications Services

Baseline(s):

  • Moderate
  • High

Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

CP-9: System Backup

Baseline(s):

  • Low
  • Moderate
  • High

Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency…

CP-10: System Recovery and Reconstitution

Baseline(s):

  • Low
  • Moderate
  • High

Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure.

CP-11: Alternate Communications Protocols

Baseline(s):

(Not part of any baseline)

Provide the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations.

CP-12: Safe Mode

Baseline(s):

(Not part of any baseline)

When [Assignment: organization-defined conditions] are detected, enter a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation].

CP-13: Alternative Security Mechanisms

Baseline(s):

(Not part of any baseline)

Employ [Assignment: organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised.