SPARC

Contingency Planning

Catalog: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures | Controls: 104

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

CP-01

Policy and Procedures 9 params

a. Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}: 1. {{ insert: param, cp-01_odp.03 }} contingency planning policy that: (a) Addresses purpose, scope, roles, res...

► View parameters

Param ID	Label	Constraint / Choices
cp-1_prm_1	organization-defined personnel or roles	Organization-defined
cp-01_odp.01	personnel or roles	personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;
cp-01_odp.02	personnel or roles	personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;
cp-01_odp.03		Select one-or-more: organization-level; mission/business process-level; system-level
cp-01_odp.04	official	an official to manage the contingency planning policy and procedures is defined;
cp-01_odp.05	frequency	the frequency at which the current contingency planning policy is reviewed and updated is defined;
cp-01_odp.06	events	events that would require the current contingency planning policy to be reviewed and updated are defined;
cp-01_odp.07	frequency	the frequency at which the current contingency planning procedures are reviewed and updated is defined;
cp-01_odp.08	events	events that would require procedures to be reviewed and updated are defined;

—

CP-02

Contingency Plan 10 params

a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restora...

► View parameters

Param ID	Label	Constraint / Choices
cp-2_prm_1	organization-defined personnel or roles	Organization-defined
cp-2_prm_2	organization-defined key contingency personnel (identified by name and/or by role) and organizational elements	Organization-defined
cp-2_prm_4	organization-defined key contingency personnel (identified by name and/or by role) and organizational elements	Organization-defined
cp-02_odp.01	personnel or roles	personnel or roles to review a contingency plan is/are defined;
cp-02_odp.02	personnel or roles	personnel or roles to approve a contingency plan is/are defined;
cp-02_odp.03	key contingency personnel	key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed ...
cp-02_odp.04	organizational elements	key contingency organizational elements to which copies of the contingency plan are distributed are defined;
cp-02_odp.05	frequency	frequency of contingency plan review is defined;
cp-02_odp.06	key contingency personnel	key contingency personnel (identified by name and/or by role) to communicate changes to are defined;
cp-02_odp.07	organizational elements	key contingency organizational elements to communicate changes to are defined;

—

CP-02(01)

Coordinate with Related Plans

Coordinate contingency plan development with organizational elements responsible for related plans.

—

CP-02(02)

Capacity Planning

Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

—

CP-02(03)

Resume Mission and Business Functions 2 params

Plan for the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation.

► View parameters

Param ID	Label	Constraint / Choices
cp-02.03_odp.01		Select one: all; essential
cp-02.03_odp.02	time period	the contingency plan activation time period within which to resume mission and business functions is defined;

—

CP-02(04)

Resume All Mission and Business Functions

—

CP-02(05)

Continue Mission and Business Functions 1 param

Plan for the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restora...

► View parameters

Param ID	Label	Constraint / Choices
cp-02.05_odp		Select one: all; essential

—

CP-02(06)

Alternate Processing and Storage Sites 1 param

Plan for the transfer of {{ insert: param, cp-02.06_odp }} mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain ...

► View parameters

Param ID	Label	Constraint / Choices
cp-02.06_odp		Select one: all; essential

—

CP-02(07)

Coordinate with External Service Providers

Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.

—

CP-02(08)

Identify Critical Assets 1 param

Identify critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions.

► View parameters

Param ID	Label	Constraint / Choices
cp-02.08_odp		Select one: all; essential

—

CP-03

Contingency Training 4 params

a. Provide contingency training to system users consistent with assigned roles and responsibilities: 1. Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibili...

► View parameters

Param ID	Label	Constraint / Choices
cp-03_odp.01	time period	the time period within which to provide contingency training after assuming a contingency role or responsibility is d...
cp-03_odp.02	frequency	frequency at which to provide training to system users with a contingency role or responsibility is defined;
cp-03_odp.03	frequency	frequency at which to review and update contingency training content is defined;
cp-03_odp.04	events	events necessitating review and update of contingency training are defined;

—

CP-03(01)

Simulated Events

Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.

—

CP-03(02)

Mechanisms Used in Training Environments

Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment.

—

CP-04

Contingency Plan Testing 4 params

a. Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert...

► View parameters

Param ID	Label	Constraint / Choices
cp-4_prm_2	organization-defined tests	Organization-defined
cp-04_odp.01	frequency	frequency of testing the contingency plan for the system is defined;
cp-04_odp.02	tests	tests for determining the effectiveness of the contingency plan are defined;
cp-04_odp.03	tests	tests for determining readiness to execute the contingency plan are defined;

—

CP-04(01)

Coordinate with Related Plans

Coordinate contingency plan testing with organizational elements responsible for related plans.

—

CP-04(02)

Alternate Processing Site

Test the contingency plan at the alternate processing site: (a) To familiarize contingency personnel with the facility and available resources; and (b) To evaluate the capabilities of the alter...

—

CP-04(03)

Automated Testing 1 param

Test the contingency plan using {{ insert: param, cp-04.03_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
cp-04.03_odp	automated mechanisms	automated mechanisms for contingency plan testing are defined;

—

CP-04(04)

Full Recovery and Reconstitution

Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing.

—

CP-04(05)

Self-challenge 2 params

Employ {{ insert: param, cp-04.05_odp.01 }} to {{ insert: param, cp-04.05_odp.02 }} to disrupt and adversely affect the system or system component.

► View parameters

Param ID	Label	Constraint / Choices
cp-04.05_odp.01	mechanisms	mechanisms employed to disrupt and adversely affect the system or system component are defined;
cp-04.05_odp.02	system or system component	system or system component on which to apply disruption mechanisms are defined;

—

CP-05

Contingency Plan Update

—

CP-06

Alternate Storage Site

a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides c...

—

CP-06(01)

Separation from Primary Site

Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.

—

CP-06(02)

Recovery Time and Recovery Point Objectives

Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

—

CP-06(03)

Accessibility

Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.

—

CP-07

Alternate Processing Site 2 params

a. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions w...

► View parameters

Param ID	Label	Constraint / Choices
cp-07_odp.01	system operations	system operations for essential mission and business functions are defined;
cp-07_odp.02	time period	time period consistent with recovery time and recovery point objectives is defined;

—

CP-07(01)

Separation from Primary Site

Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.

—

CP-07(02)

Accessibility

Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

—

CP-07(03)

Priority of Service

Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).

—

CP-07(04)

Preparation for Use

Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions.

—

CP-07(05)

Equivalent Information Security Safeguards

—

CP-07(06)

Inability to Return to Primary Site

Plan and prepare for circumstances that preclude returning to the primary processing site.

—

CP-08

Telecommunications Services 2 params

Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} for essential mission and business functions within {{ ...

► View parameters

Param ID	Label	Constraint / Choices
cp-08_odp.01	system operations	system operations to be resumed for essential mission and business functions are defined;
cp-08_odp.02	time period	time period within which to resume essential mission and business functions when the primary telecommunications capab...

—

CP-08(01)

Priority of Service Provisions

(a) Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objective...

—

CP-08(02)

Single Points of Failure

Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

—

CP-08(03)

Separation of Primary and Alternate Providers

Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

—

CP-08(04)

Provider Contingency Plan 3 params

(a) Require primary and alternate telecommunications service providers to have contingency plans; (b) Review provider contingency plans to ensure that the plans meet organizational contingency ...

► View parameters

Param ID	Label	Constraint / Choices
cp-8.4_prm_1	organization-defined frequency	Organization-defined
cp-08.04_odp.01	frequency	frequency at which to obtain evidence of contingency testing by providers is defined;
cp-08.04_odp.02	frequency	frequency at which to obtain evidence of contingency training by providers is defined;

—

CP-08(05)

Alternate Telecommunication Service Testing 1 param

Test alternate telecommunication services {{ insert: param, cp-08.05_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
cp-08.05_odp	frequency	frequency at which alternate telecommunications services are tested is defined;

—

CP-09

System Backup 4 params

a. Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }}; b. Conduct backups of system-level information contained in the sy...

► View parameters

Param ID	Label	Constraint / Choices
cp-09_odp.01	system components	system components for which to conduct backups of user-level information is defined;
cp-09_odp.02	frequency	frequency at which to conduct backups of user-level information consistent with recovery time and recovery point obje...
cp-09_odp.03	frequency	frequency at which to conduct backups of system-level information consistent with recovery time and recovery point ob...
cp-09_odp.04	frequency	frequency at which to conduct backups of system documentation consistent with recovery time and recovery point object...

—

CP-09(01)

Testing for Reliability and Integrity 3 params

Test backup information {{ insert: param, cp-9.1_prm_1 }} to verify media reliability and information integrity.

► View parameters

Param ID	Label	Constraint / Choices
cp-9.1_prm_1	organization-defined frequency	Organization-defined
cp-09.01_odp.01	frequency	frequency at which to test backup information for media reliability is defined;
cp-09.01_odp.02	frequency	frequency at which to test backup information for information integrity is defined;

—

CP-09(02)

Test Restoration Using Sampling

Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing.

—

CP-09(03)

Separate Storage for Critical Information 1 param

Store backup copies of {{ insert: param, cp-09.03_odp }} in a separate facility or in a fire rated container that is not collocated with the operational system.

► View parameters

Param ID	Label	Constraint / Choices
cp-09.03_odp	critical system software and other security-related information	critical system software and other security-related information backups to be stored in a separate facility are defined;

—

CP-09(04)

Protection from Unauthorized Modification

—

CP-09(05)

Transfer to Alternate Storage Site 3 params

Transfer system backup information to the alternate storage site {{ insert: param, cp-9.5_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
cp-9.5_prm_1	organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives	Organization-defined
cp-09.05_odp.01	time period	time period consistent with recovery time and recovery point objectives is defined;
cp-09.05_odp.02	transfer rate	transfer rate consistent with recovery time and recovery point objectives is defined;

—

CP-09(06)

Redundant Secondary System

Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.

—

CP-09(07)

Dual Authorization for Deletion or Destruction 1 param

Enforce dual authorization for the deletion or destruction of {{ insert: param, cp-09.07_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
cp-09.07_odp	backup information	backup information for which to enforce dual authorization in order to delete or destroy is defined;

—

CP-09(08)

Cryptographic Protection 1 param

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
cp-09.08_odp	backup information	backup information to protect against unauthorized disclosure and modification is defined;

—

CP-10

System Recovery and Reconstitution 3 params

Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure.

► View parameters

Param ID	Label	Constraint / Choices
cp-10_prm_1	organization-defined time period consistent with recovery time and recovery point objectives	Organization-defined
cp-10_odp.01	time period	time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;
cp-10_odp.02	time period	time period consistent with recovery time and recovery point objectives for the reconstitution of the system is deter...

—

CP-10(01)

Contingency Plan Testing

—

CP-10(02)

Transaction Recovery

Implement transaction recovery for systems that are transaction-based.

—

CP-10(03)

Compensating Security Controls

Addressed through tailoring.

—

CP-10(04)

Restore Within Time Period 1 param

Provide the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational stat...

► View parameters

Param ID	Label	Constraint / Choices
cp-10.04_odp	restoration time periods	restoration time period within which to restore system components to a known, operational state is defined;

—

CP-10(05)

Failover Capability

—

CP-10(06)

Component Protection

Protect system components used for recovery and reconstitution.

—

CP-11

Alternate Communications Protocols 1 param

Provide the capability to employ {{ insert: param, cp-11_odp }} in support of maintaining continuity of operations.

► View parameters

Param ID	Label	Constraint / Choices
cp-11_odp	alternative communications protocols	alternative communications protocols in support of maintaining continuity of operations are defined;

—

CP-12

Safe Mode 2 params

When {{ insert: param, cp-12_odp.02 }} are detected, enter a safe mode of operation with {{ insert: param, cp-12_odp.01 }}.

► View parameters

Param ID	Label	Constraint / Choices
cp-12_odp.01	restrictions	restrictions for safe mode of operation are defined;
cp-12_odp.02	conditions	conditions detected to enter a safe mode of operation are defined;

—

CP-13

Alternative Security Mechanisms 2 params

Employ {{ insert: param, cp-13_odp.01 }} for satisfying {{ insert: param, cp-13_odp.02 }} when the primary means of implementing the security function is unavailable or compromised.

► View parameters

Param ID	Label	Constraint / Choices
cp-13_odp.01	alternative or supplemental security mechanisms	alternative or supplemental security mechanisms are defined;
cp-13_odp.02	security functions	security functions are defined;

—

└ cp-1a

Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:

—

└ cp-1a.1

{{ insert: param, cp-01_odp.03 }} contingency planning policy that:

—

└ cp-1a.1.(a)

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

—

└ cp-1a.1.(b)

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

—

└ cp-1a.2

Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;

—

└ cp-1b

Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and p...

—

└ cp-1c

Review and update the current contingency planning:

—

└ cp-1c.1

Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and

—

└ cp-1c.2

Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}.

—

└ cp-2a

Develop a contingency plan for the system that:

—

└ cp-2a.1

Identifies essential mission and business functions and associated contingency requirements;

—

└ cp-2a.2

Provides recovery objectives, restoration priorities, and metrics;

—

└ cp-2a.3

Addresses contingency roles, responsibilities, assigned individuals with contact information;

—

└ cp-2a.4

Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;

—

└ cp-2a.5

Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;

—

└ cp-2a.6

Addresses the sharing of contingency information; and

—

└ cp-2a.7

Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};

—

└ cp-2b

Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};

—

└ cp-2c

Coordinate contingency planning activities with incident handling activities;

—

└ cp-2d

Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};

—

└ cp-2e

Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency...

—

└ cp-2f

Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};

—

└ cp-2g

Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and

—

└ cp-2h

Protect the contingency plan from unauthorized disclosure and modification.

—

└ cp-3a

Provide contingency training to system users consistent with assigned roles and responsibilities:

—

└ cp-3a.1

Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;

—

└ cp-3a.2

When required by system changes; and

—

└ cp-3a.3

{{ insert: param, cp-03_odp.02 }} thereafter; and

—

└ cp-3b

Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}.

—

└ cp-4.2.(a)

To familiarize contingency personnel with the facility and available resources; and

—

└ cp-4.2.(b)

To evaluate the capabilities of the alternate processing site to support contingency operations.

—

└ cp-4a

Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and...

—

└ cp-4b

Review the contingency plan test results; and

—

└ cp-4c

Initiate corrective actions, if needed.

—

└ cp-6a

Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and

—

└ cp-6b

Ensure that the alternate storage site provides controls equivalent to that of the primary site.

—

└ cp-7a

Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} f...

—

└ cp-7b

Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to...

—

└ cp-7c

Provide controls at the alternate processing site that are equivalent to those at the primary site.

—

└ cp-8.1.(a)

Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability req...

—

└ cp-8.1.(b)

Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary an...

—

└ cp-8.4.(a)

Require primary and alternate telecommunications service providers to have contingency plans;

—

└ cp-8.4.(b)

Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and

—

└ cp-8.4.(c)

Obtain evidence of contingency testing and training by providers {{ insert: param, cp-8.4_prm_1 }}.

—

└ cp-9a

Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};

—

└ cp-9b

Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};

—

└ cp-9c

Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and

—

└ cp-9d

Protect the confidentiality, integrity, and availability of backup information.

—