Title

A contingency plan must exist in accordance with DOD policy based on the application's availability requirements. (Cat II impact)

Discussion

Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. All applications must document procedures to include business recovery plans, system contingency plans, facility disaster recovery plans, and plan acceptance.

Check Content

Review contingency plans. For high availability applications, verify the contingency plan exists and provides for the smooth transfer of all mission or business essential functions to an alternate site for the duration of an event with little or no loss of operational continuity. For moderate availability applications, verify the contingency plan exists and provides for the resumption of mission or business essential functions within 12 hours activation or as defined in the contingency plan. For low availability applications, verify the contingency plan exists and provides for the partial resumption of mission or business essential functions within 5 to 30 days of activation as defined in the contingency plan. If the contingency plan does not exist or does not meet the severity level requirements, this is a finding.

Fix Text

Create and maintain a contingency plan that identifies essential mission and business functions and associated contingency requirements.

Additional Identifiers

Rule ID: SV-222636r1051323_rule

Vulnerability ID: V-222636

Group Title: SRG-APP-000516

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.