Navigate

CCI-000457

CCI-000457 Definition

Develop a contingency plan for the system that is reviewed and approved by organization-defined personnel or roles.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - a contingency plan for the system is developed that is reviewed by [CP-02_ODP[01]; personnel or roles to review a contingency plan is/are defined]. - a contingency plan for the system is developed that is approved by [CP-02_ODP[02]; personnel or roles to approve a contingency plan is/are defined].

Validation Procedures

Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the system; contingency plan; evidence of contingency plan reviews and updates; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with incident handling responsibilities; organizational personnel with knowledge of requirements for mission and business functions; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Organizational processes for contingency plan development, review, update, and protection; mechanisms for developing, reviewing, updating, and/or protecting the contingency plan].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000457.

Control	Description
CP-2	a: Develop a contingency plan for the system that: 1: Identifies essential mission and business functions and associated contingency requirements; 2: Provides recovery objectives, restoration priorities, and metrics; 3: Addresses contingency roles, responsibilities, assigned individuals with contact information; 4: Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5: Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6: Addresses the sharing of contingency information; and 7: Is reviewed and approved by [one of ]; b: Distribute copies of the contingency plan to [one of ]; c: Coordinate contingency planning activities with incident handling activities; d: Review the contingency plan for the system [frequency of contingency plan review is defined;]; e: Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f: Communicate contingency plan changes to [one of ]; g: Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and h: Protect the contingency plan from unauthorized disclosure and modification.

Control

Description

CP-2

a: Develop a contingency plan for the system that:
- 1: Identifies essential mission and business functions and associated contingency requirements;
- 2: Provides recovery objectives, restoration priorities, and metrics;
- 3: Addresses contingency roles, responsibilities, assigned individuals with contact information;
- 4: Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;
- 5: Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;
- 6: Addresses the sharing of contingency information; and
- 7: Is reviewed and approved by [one of ];

b: Distribute copies of the contingency plan to [one of ];

c: Coordinate contingency planning activities with incident handling activities;

d: Review the contingency plan for the system [frequency of contingency plan review is defined;];

e: Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

f: Communicate contingency plan changes to [one of ];

g: Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and

h: Protect the contingency plan from unauthorized disclosure and modification.