CP-4: Contingency Plan Testing
- NIST Special Publication 800-53 Revision 4:
- CP-4: Contingency Plan Testing
- Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests].
- Review the contingency plan test results; and
- Initiate corrective actions, if needed.
Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.
CP-4(1): Coordinate with Related Plans
Coordinate contingency plan testing with organizational elements responsible for related plans.
CP-4(2): Alternate Processing Site
Test the contingency plan at the alternate processing site: To familiarize contingency personnel with the facility and available resources; and To evaluate the capabilities of the alternate processing site to support contingency operations.
CP-4(3): Automated Testing
Test the contingency plan using [Assignment: organization-defined automated mechanisms].
CP-4(4): Full Recovery and Reconstitution
Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing.
Employ [Assignment: organization-defined mechanisms] to [Assignment: organization-defined system or system component] to disrupt and adversely affect the system or system component.