Navigate

CCI-000457

CCI-000457 Definition

The organization develops a contingency plan for the information system that is reviewed and approved by organization-defined personnel or roles.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed reviews and approves the contingency plan by at a minimum, the ISSM and ISSO. The organization must maintain an audit trail of the review and approval activity. DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the audit trail to ensure the contingency plan has been reviewed and approved by at a minimum, the ISSM and ISSO. DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO.

Compelling Evidence

1.) Screenshot or physical document that includes a signature of approval from the organizational management.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000457.

Control	Description
CP-2	The organization: CP-2a.: Develops a contingency plan for the information system that: CP-2a.1.: Identifies essential missions and business functions and associated contingency requirements; CP-2a.2.: Provides recovery objectives, restoration priorities, and metrics; CP-2a.3.: Addresses contingency roles, responsibilities, assigned individuals with contact information; CP-2a.4.: Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; CP-2a.5.: Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and CP-2a.6.: Is reviewed and approved by [Assignment: organization-defined personnel or roles]; CP-2b.: Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; CP-2c.: Coordinates contingency planning activities with incident handling activities; CP-2d.: Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; CP-2e.: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; CP-2f.: Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and CP-2g.: Protects the contingency plan from unauthorized disclosure and modification.

Control

Description

CP-2

The organization:

CP-2a.: Develops a contingency plan for the information system that:
- CP-2a.1.: Identifies essential missions and business functions and associated contingency requirements;
- CP-2a.2.: Provides recovery objectives, restoration priorities, and metrics;
- CP-2a.3.: Addresses contingency roles, responsibilities, assigned individuals with contact information;
- CP-2a.4.: Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
- CP-2a.5.: Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
- CP-2a.6.: Is reviewed and approved by [Assignment: organization-defined personnel or roles];

CP-2b.: Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];

CP-2c.: Coordinates contingency planning activities with incident handling activities;

CP-2d.: Reviews the contingency plan for the information system [Assignment: organization-defined frequency];

CP-2e.: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

CP-2f.: Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and

CP-2g.: Protects the contingency plan from unauthorized disclosure and modification.