Navigate

CCI-002832

CCI-002832 Definition

The organization protects the contingency plan from unauthorized disclosure and modification.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents and implements a process to protect the contingency plan from unauthorized disclosure and modification.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed protects the contingency plan from unauthorized disclosure and modification.

Compelling Evidence

1.) Documentation of the storage and access process to the contingency plan

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-002832.

Control	Description
CP-2	The organization: CP-2a.: Develops a contingency plan for the information system that: CP-2a.1.: Identifies essential missions and business functions and associated contingency requirements; CP-2a.2.: Provides recovery objectives, restoration priorities, and metrics; CP-2a.3.: Addresses contingency roles, responsibilities, assigned individuals with contact information; CP-2a.4.: Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; CP-2a.5.: Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and CP-2a.6.: Is reviewed and approved by [Assignment: organization-defined personnel or roles]; CP-2b.: Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; CP-2c.: Coordinates contingency planning activities with incident handling activities; CP-2d.: Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; CP-2e.: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; CP-2f.: Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and CP-2g.: Protects the contingency plan from unauthorized disclosure and modification.

Control

Description

CP-2

The organization:

CP-2a.: Develops a contingency plan for the information system that:
- CP-2a.1.: Identifies essential missions and business functions and associated contingency requirements;
- CP-2a.2.: Provides recovery objectives, restoration priorities, and metrics;
- CP-2a.3.: Addresses contingency roles, responsibilities, assigned individuals with contact information;
- CP-2a.4.: Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
- CP-2a.5.: Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
- CP-2a.6.: Is reviewed and approved by [Assignment: organization-defined personnel or roles];

CP-2b.: Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];

CP-2c.: Coordinates contingency planning activities with incident handling activities;

CP-2d.: Reviews the contingency plan for the information system [Assignment: organization-defined frequency];

CP-2e.: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

CP-2f.: Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and

CP-2g.: Protects the contingency plan from unauthorized disclosure and modification.