CP-4: Contingency Plan Testing

Control Family:

Contingency Planning

CSF v1.1 References:

PF v1.0 References:

Baselines:

  • Low
    • CP-4
  • Moderate
  • High
  • Privacy

    N/A

Previous Version:

Control Statement

  1. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests].
  2. Review the contingency plan test results; and
  3. Initiate corrective actions, if needed.

Supplemental Guidance

Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

Control Enhancements

CP-4(2): Alternate Processing Site

Baseline(s):

  • High

Test the contingency plan at the alternate processing site: To familiarize contingency personnel with the facility and available resources; and To evaluate the capabilities of the alternate processing site to support contingency operations.

CP-4(3): Automated Testing

Baseline(s):

(Not part of any baseline)

Test the contingency plan using [Assignment: organization-defined automated mechanisms].

CP-4(5): Self-challenge

Baseline(s):

(Not part of any baseline)

Employ [Assignment: organization-defined mechanisms] to [Assignment: organization-defined system or system component] to disrupt and adversely affect the system or system component.

Related Controls

NIST Special Publication 800-53 Revision 5

Cloud Controls Matrix v3.0.1

Critical Security Controls Version 8