Navigate

CCI-000457

CCI-000457 Definition

Develop a contingency plan for the system that is reviewed and approved by organization-defined personnel or roles.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed reviews and approves the contingency plan by at a minimum, the ISSM and ISSO. The organization must maintain an audit trail of the review and approval activity. DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the audit trail to ensure the contingency plan has been reviewed and approved by at a minimum, the ISSM and ISSO. DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO.

Compelling Evidence

1.) Screenshot or physical document that includes a signature of approval from the organizational management.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000457.

Control	Description
CP-2	The organization: a: Develops a contingency plan for the information system that: 1: Identifies essential missions and business functions and associated contingency requirements; 2: Provides recovery objectives, restoration priorities, and metrics; 3: Addresses contingency roles, responsibilities, assigned individuals with contact information; 4: Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5: Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6: Is reviewed and approved by [one of ]; b: Distributes copies of the contingency plan to [one of ]; c: Coordinates contingency planning activities with incident handling activities; d: Reviews the contingency plan for the information system [one of ]; e: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f: Communicates contingency plan changes to [one of ]; and g: Protects the contingency plan from unauthorized disclosure and modification.

Control

Description

CP-2

The organization:

a: Develops a contingency plan for the information system that:
- 1: Identifies essential missions and business functions and associated contingency requirements;
- 2: Provides recovery objectives, restoration priorities, and metrics;
- 3: Addresses contingency roles, responsibilities, assigned individuals with contact information;
- 4: Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
- 5: Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
- 6: Is reviewed and approved by [one of ];

b: Distributes copies of the contingency plan to [one of ];

c: Coordinates contingency planning activities with incident handling activities;

d: Reviews the contingency plan for the information system [one of ];

e: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

f: Communicates contingency plan changes to [one of ]; and

g: Protects the contingency plan from unauthorized disclosure and modification.