CP: Contingency Planning
Controls
CP-1: Policy and Procedures
Baseline(s):
- Low
- Moderate
- High
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation…
CP-2: Contingency Plan
Baseline(s):
- Low
- Moderate
- High
Develop a contingency plan for the system that: Identifies essential mission and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and metrics; Addresses contingency roles, responsibilities, assigned individuals with contact information; Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; Addresses eventual, full system restoration without deterioration…
CP-3: Contingency Training
Baseline(s):
- Low
- Moderate
- High
Provide contingency training to system users consistent with assigned roles and responsibilities: Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; When required by system changes; and [Assignment: organization-defined frequency] thereafter; and Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
CP-4: Contingency Plan Testing
Baseline(s):
- Low
- Moderate
- High
Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]. Review the contingency plan test results; and Initiate corrective actions, if needed.
CP-6: Alternate Storage Site
Baseline(s):
- Moderate
- High
Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and Ensure that the alternate storage site provides controls equivalent to that of the primary site.
CP-7: Alternate Processing Site
Baseline(s):
- Moderate
- High
Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; Make available at the alternate processing site, the equipment and…
CP-8: Telecommunications Services
Baseline(s):
- Moderate
- High
Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CP-9: System Backup
Baseline(s):
- Low
- Moderate
- High
Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency…
CP-10: System Recovery and Reconstitution
Baseline(s):
- Low
- Moderate
- High
Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure.
CP-11: Alternate Communications Protocols
Baseline(s):
Provide the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations.
CP-12: Safe Mode
Baseline(s):
When [Assignment: organization-defined conditions] are detected, enter a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation].
CP-13: Alternative Security Mechanisms
Baseline(s):
Employ [Assignment: organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised.