Catalog: NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations | Controls: 95
| Control ID | Title / Statement | Priority | Baseline Impact | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CP-1 |
Contingency Planning Policy and Procedures
3 params
The organization:
a. Develops, documents, and disseminates to {{ insert: param, cp-1_prm_1 }}:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, managem...
► View parameters
|
— | — | |||||||||||||||
| CP-2 |
Contingency Plan
4 params
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provi...
► View parameters
|
— | — | |||||||||||||||
| CP-2(1) |
Coordinate with Related Plans
The organization coordinates contingency plan development with organizational elements responsible for related plans.
|
— | — | |||||||||||||||
| CP-2(2) |
Capacity Planning
The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.
|
— | — | |||||||||||||||
| CP-2(3) |
Resume Essential Missions / Business Functions
1 param
The organization plans for the resumption of essential missions and business functions within {{ insert: param, cp-2.3_prm_1 }} of contingency plan activation.
► View parameters
|
— | — | |||||||||||||||
| CP-2(4) |
Resume All Missions / Business Functions
1 param
The organization plans for the resumption of all missions and business functions within {{ insert: param, cp-2.4_prm_1 }} of contingency plan activation.
► View parameters
|
— | — | |||||||||||||||
| CP-2(5) |
Continue Essential Missions / Business Functions
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system r...
|
— | — | |||||||||||||||
| CP-2(6) |
Alternate Processing / Storage Site
The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that ...
|
— | — | |||||||||||||||
| CP-2(7) |
Coordinate with External Service Providers
The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.
|
— | — | |||||||||||||||
| CP-2(8) |
Identify Critical Assets
The organization identifies critical information system assets supporting essential missions and business functions.
|
— | — | |||||||||||||||
| CP-3 |
Contingency Training
2 params
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within {{ insert: param, cp-3_prm_1 }} of assuming a contingency...
► View parameters
|
— | — | |||||||||||||||
| CP-3(1) |
Simulated Events
The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.
|
— | — | |||||||||||||||
| CP-3(2) |
Automated Training Environments
The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment.
|
— | — | |||||||||||||||
| CP-4 |
Contingency Plan Testing
2 params
The organization:
a. Tests the contingency plan for the information system {{ insert: param, cp-4_prm_1 }} using {{ insert: param, cp-4_prm_2 }} to determine the effectiveness of the plan and the...
► View parameters
|
— | — | |||||||||||||||
| CP-4(1) |
Coordinate with Related Plans
The organization coordinates contingency plan testing with organizational elements responsible for related plans.
|
— | — | |||||||||||||||
| CP-4(2) |
Alternate Processing Site
The organization tests the contingency plan at the alternate processing site:
(a) To familiarize contingency personnel with the facility and available resources; and
(b) To evaluate the capabil...
|
— | — | |||||||||||||||
| CP-4(3) |
Automated Testing
The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan.
|
— | — | |||||||||||||||
| CP-4(4) |
Full Recovery / Reconstitution
The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing.
|
— | — | |||||||||||||||
| CP-5 |
Contingency Plan Update
|
— | — | |||||||||||||||
| CP-6 |
Alternate Storage Site
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
b. Ensures that the a...
|
— | — | |||||||||||||||
| CP-6(1) |
Separation from Primary Site
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.
|
— | — | |||||||||||||||
| CP-6(2) |
Recovery Time / Point Objectives
The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.
|
— | — | |||||||||||||||
| CP-6(3) |
Accessibility
The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
|
— | — | |||||||||||||||
| CP-7 |
Alternate Processing Site
2 params
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-7_prm_1 }} for essential missions/busine...
► View parameters
|
— | — | |||||||||||||||
| CP-7(1) |
Separation from Primary Site
The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.
|
— | — | |||||||||||||||
| CP-7(2) |
Accessibility
The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
|
— | — | |||||||||||||||
| CP-7(3) |
Priority of Service
The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objec...
|
— | — | |||||||||||||||
| CP-7(4) |
Preparation for Use
The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions.
|
— | — | |||||||||||||||
| CP-7(5) |
Equivalent Information Security Safeguards
|
— | — | |||||||||||||||
| CP-7(6) |
Inability to Return to Primary Site
The organization plans and prepares for circumstances that preclude returning to the primary processing site.
|
— | — | |||||||||||||||
| CP-8 |
Telecommunications Services
2 params
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of {{ insert: param, cp-8_prm_1 }} for essential missions and business fun...
► View parameters
|
— | — | |||||||||||||||
| CP-8(1) |
Priority of Service Provisions
The organization:
(a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements ...
|
— | — | |||||||||||||||
| CP-8(2) |
Single Points of Failure
The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.
|
— | — | |||||||||||||||
| CP-8(3) |
Separation of Primary / Alternate Providers
The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.
|
— | — | |||||||||||||||
| CP-8(4) |
Provider Contingency Plan
1 param
The organization:
(a) Requires primary and alternate telecommunications service providers to have contingency plans;
(b) Reviews provider contingency plans to ensure that the plans meet organiz...
► View parameters
|
— | — | |||||||||||||||
| CP-8(5) |
Alternate Telecommunication Service Testing
1 param
The organization tests alternate telecommunication services {{ insert: param, cp-8.5_prm_1 }}.
► View parameters
|
— | — | |||||||||||||||
| CP-9 |
Information System Backup
3 params
The organization:
a. Conducts backups of user-level information contained in the information system {{ insert: param, cp-9_prm_1 }};
b. Conducts backups of system-level information contained in...
► View parameters
|
— | — | |||||||||||||||
| CP-9(1) |
Testing for Reliability / Integrity
1 param
The organization tests backup information {{ insert: param, cp-9.1_prm_1 }} to verify media reliability and information integrity.
► View parameters
|
— | — | |||||||||||||||
| CP-9(2) |
Test Restoration Using Sampling
The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.
|
— | — | |||||||||||||||
| CP-9(3) |
Separate Storage for Critical Information
1 param
The organization stores backup copies of {{ insert: param, cp-9.3_prm_1 }} in a separate facility or in a fire-rated container that is not collocated with the operational system.
► View parameters
|
— | — | |||||||||||||||
| CP-9(4) |
Protection from Unauthorized Modification
|
— | — | |||||||||||||||
| CP-9(5) |
Transfer to Alternate Storage Site
1 param
The organization transfers information system backup information to the alternate storage site {{ insert: param, cp-9.5_prm_1 }}.
► View parameters
|
— | — | |||||||||||||||
| CP-9(6) |
Redundant Secondary System
The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of informat...
|
— | — | |||||||||||||||
| CP-9(7) |
Dual Authorization
1 param
The organization enforces dual authorization for the deletion or destruction of {{ insert: param, cp-9.7_prm_1 }}.
► View parameters
|
— | — | |||||||||||||||
| CP-10 |
Information System Recovery and Reconstitution
3 params
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.
► View parameters
|
— | — | |||||||||||||||
| CP-10(1) |
Contingency Plan Testing
|
— | — | |||||||||||||||
| CP-10(2) |
Transaction Recovery
The information system implements transaction recovery for systems that are transaction-based.
|
— | — | |||||||||||||||
| CP-10(3) |
Compensating Security Controls
|
— | — | |||||||||||||||
| CP-10(4) |
Restore Within Time Period
1 param
The organization provides the capability to restore information system components within {{ insert: param, cp-10.4_prm_1 }} from configuration-controlled and integrity-protected information represe...
► View parameters
|
— | — | |||||||||||||||
| CP-10(5) |
Failover Capability
|
— | — | |||||||||||||||
| CP-10(6) |
Component Protection
The organization protects backup and restoration hardware, firmware, and software.
|
— | — | |||||||||||||||
| CP-11 |
Alternate Communications Protocols
1 param
The information system provides the capability to employ {{ insert: param, cp-11_prm_1 }} in support of maintaining continuity of operations.
► View parameters
|
— | — | |||||||||||||||
| CP-12 |
Safe Mode
2 params
The information system, when {{ insert: param, cp-12_prm_1 }} are detected, enters a safe mode of operation with {{ insert: param, cp-12_prm_2 }}.
► View parameters
|
— | — | |||||||||||||||
| CP-13 |
Alternative Security Mechanisms
2 params
The organization employs {{ insert: param, cp-13_prm_1 }} for satisfying {{ insert: param, cp-13_prm_2 }} when the primary means of implementing the security function is unavailable or compromised.
► View parameters
|
— | — | |||||||||||||||
| └ cp-1a | Develops, documents, and disseminates to {{ insert: param, cp-1_prm_1 }}: | — | — | |||||||||||||||
| └ cp-1a.1 | A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational enti... | — | — | |||||||||||||||
| └ cp-1a.2 | Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and | — | — | |||||||||||||||
| └ cp-1b | Reviews and updates the current: | — | — | |||||||||||||||
| └ cp-1b.1 | Contingency planning policy {{ insert: param, cp-1_prm_2 }}; and | — | — | |||||||||||||||
| └ cp-1b.2 | Contingency planning procedures {{ insert: param, cp-1_prm_3 }}. | — | — | |||||||||||||||
| └ cp-2a | Develops a contingency plan for the information system that: | — | — | |||||||||||||||
| └ cp-2a.1 | Identifies essential missions and business functions and associated contingency requirements; | — | — | |||||||||||||||
| └ cp-2a.2 | Provides recovery objectives, restoration priorities, and metrics; | — | — | |||||||||||||||
| └ cp-2a.3 | Addresses contingency roles, responsibilities, assigned individuals with contact information; | — | — | |||||||||||||||
| └ cp-2a.4 | Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; | — | — | |||||||||||||||
| └ cp-2a.5 | Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and | — | — | |||||||||||||||
| └ cp-2a.6 | Is reviewed and approved by {{ insert: param, cp-2_prm_1 }}; | — | — | |||||||||||||||
| └ cp-2b | Distributes copies of the contingency plan to {{ insert: param, cp-2_prm_2 }}; | — | — | |||||||||||||||
| └ cp-2c | Coordinates contingency planning activities with incident handling activities; | — | — | |||||||||||||||
| └ cp-2d | Reviews the contingency plan for the information system {{ insert: param, cp-2_prm_3 }}; | — | — | |||||||||||||||
| └ cp-2e | Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered durin... | — | — | |||||||||||||||
| └ cp-2f | Communicates contingency plan changes to {{ insert: param, cp-2_prm_4 }}; and | — | — | |||||||||||||||
| └ cp-2g | Protects the contingency plan from unauthorized disclosure and modification. | — | — | |||||||||||||||
| └ cp-3a | Within {{ insert: param, cp-3_prm_1 }} of assuming a contingency role or responsibility; | — | — | |||||||||||||||
| └ cp-3b | When required by information system changes; and | — | — | |||||||||||||||
| └ cp-3c | {{ insert: param, cp-3_prm_2 }} thereafter. | — | — | |||||||||||||||
| └ cp-4.2.(a) | To familiarize contingency personnel with the facility and available resources; and | — | — | |||||||||||||||
| └ cp-4.2.(b) | To evaluate the capabilities of the alternate processing site to support contingency operations. | — | — | |||||||||||||||
| └ cp-4a | Tests the contingency plan for the information system {{ insert: param, cp-4_prm_1 }} using {{ insert: param, cp-4_prm_2 }} to determine the effect... | — | — | |||||||||||||||
| └ cp-4b | Reviews the contingency plan test results; and | — | — | |||||||||||||||
| └ cp-4c | Initiates corrective actions, if needed. | — | — | |||||||||||||||
| └ cp-6a | Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and | — | — | |||||||||||||||
| └ cp-6b | Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. | — | — | |||||||||||||||
| └ cp-7a | Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-7_prm_1 }} fo... | — | — | |||||||||||||||
| └ cp-7b | Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in p... | — | — | |||||||||||||||
| └ cp-7c | Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site. | — | — | |||||||||||||||
| └ cp-8.1.(a) | Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational ... | — | — | |||||||||||||||
| └ cp-8.1.(b) | Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event tha... | — | — | |||||||||||||||
| └ cp-8.4.(a) | Requires primary and alternate telecommunications service providers to have contingency plans; | — | — | |||||||||||||||
| └ cp-8.4.(b) | Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and | — | — | |||||||||||||||
| └ cp-8.4.(c) | Obtains evidence of contingency testing/training by providers {{ insert: param, cp-8.4_prm_1 }}. | — | — | |||||||||||||||
| └ cp-9a | Conducts backups of user-level information contained in the information system {{ insert: param, cp-9_prm_1 }}; | — | — | |||||||||||||||
| └ cp-9b | Conducts backups of system-level information contained in the information system {{ insert: param, cp-9_prm_2 }}; | — | — | |||||||||||||||
| └ cp-9c | Conducts backups of information system documentation including security-related documentation {{ insert: param, cp-9_prm_3 }}; and | — | — | |||||||||||||||
| └ cp-9d | Protects the confidentiality, integrity, and availability of backup information at storage locations. | — | — |