Navigate

CCI-000453

CCI-000453 Definition

The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system compromise.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed must clearly and accurately document maintaining business functions despite an information system compromise for its information system(s).

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining business functions despite an information system compromise for its information system(s).

Compelling Evidence

1.) Signed and dated contingency plan, referencing business functions section

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000453.

Control	Description
CP-2	The organization: a: Develops a contingency plan for the information system that: 1: Identifies essential missions and business functions and associated contingency requirements; 2: Provides recovery objectives, restoration priorities, and metrics; 3: Addresses contingency roles, responsibilities, assigned individuals with contact information; 4: Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5: Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6: Is reviewed and approved by [one of ]; b: Distributes copies of the contingency plan to [one of ]; c: Coordinates contingency planning activities with incident handling activities; d: Reviews the contingency plan for the information system [one of ]; e: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f: Communicates contingency plan changes to [one of ]; and g: Protects the contingency plan from unauthorized disclosure and modification.

Control

Description

CP-2

The organization:

a: Develops a contingency plan for the information system that:
- 1: Identifies essential missions and business functions and associated contingency requirements;
- 2: Provides recovery objectives, restoration priorities, and metrics;
- 3: Addresses contingency roles, responsibilities, assigned individuals with contact information;
- 4: Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
- 5: Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
- 6: Is reviewed and approved by [one of ];

b: Distributes copies of the contingency plan to [one of ];

c: Coordinates contingency planning activities with incident handling activities;

d: Reviews the contingency plan for the information system [one of ];

e: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

f: Communicates contingency plan changes to [one of ]; and

g: Protects the contingency plan from unauthorized disclosure and modification.