Navigate

CCI-000453

CCI-000453 Definition

The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system compromise.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed must clearly and accurately document maintaining business functions despite an information system compromise for its information system(s).

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining business functions despite an information system compromise for its information system(s).

Compelling Evidence

1.) Signed and dated contingency plan, referencing business functions section

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000453.

Control	Description
CP-2	The organization: CP-2a.: Develops a contingency plan for the information system that: CP-2a.1.: Identifies essential missions and business functions and associated contingency requirements; CP-2a.2.: Provides recovery objectives, restoration priorities, and metrics; CP-2a.3.: Addresses contingency roles, responsibilities, assigned individuals with contact information; CP-2a.4.: Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; CP-2a.5.: Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and CP-2a.6.: Is reviewed and approved by [Assignment: organization-defined personnel or roles]; CP-2b.: Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; CP-2c.: Coordinates contingency planning activities with incident handling activities; CP-2d.: Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; CP-2e.: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; CP-2f.: Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and CP-2g.: Protects the contingency plan from unauthorized disclosure and modification.

Control

Description

CP-2

The organization:

CP-2a.: Develops a contingency plan for the information system that:
- CP-2a.1.: Identifies essential missions and business functions and associated contingency requirements;
- CP-2a.2.: Provides recovery objectives, restoration priorities, and metrics;
- CP-2a.3.: Addresses contingency roles, responsibilities, assigned individuals with contact information;
- CP-2a.4.: Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
- CP-2a.5.: Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
- CP-2a.6.: Is reviewed and approved by [Assignment: organization-defined personnel or roles];

CP-2b.: Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];

CP-2c.: Coordinates contingency planning activities with incident handling activities;

CP-2d.: Reviews the contingency plan for the information system [Assignment: organization-defined frequency];

CP-2e.: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

CP-2f.: Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and

CP-2g.: Protects the contingency plan from unauthorized disclosure and modification.