Navigate

CP-4

CP-4: Contingency Plan Testing

The organization:

a: Tests the contingency plan for the information system [organization-defined frequency] using [organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;

b: Reviews the contingency plan test results; and

c: Initiates corrective actions, if needed.

Supplemental

Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	high

Overlays
Privacy (PHI)

CSF Categories
ID.SC-5, PR.IP-10, PR.IP-4

Related Controls

The controls below (if any) were marked by NIST as being related to CP-4.

Control	Description
CP-2	The organization: a: Develops a contingency plan for the information system that: 1: Identifies essential missions and business functions and associated contingency requirements; 2: Provides recovery objectives, restoration priorities, and metrics; 3: Addresses contingency roles, responsibilities, assigned individuals with contact information; 4: Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5: Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6: Is reviewed and approved by [organization-defined personnel or roles]; b: Distributes copies of the contingency plan to [organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c: Coordinates contingency planning activities with incident handling activities; d: Reviews the contingency plan for the information system [organization-defined frequency]; e: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f: Communicates contingency plan changes to [organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g: Protects the contingency plan from unauthorized disclosure and modification.
CP-3	The organization provides contingency training to information system users consistent with assigned roles and responsibilities: a: Within [organization-defined time period] of assuming a contingency role or responsibility; b: When required by information system changes; and c: [organization-defined frequency] thereafter.
IR-3	The organization tests the incident response capability for the information system [organization-defined frequency] using [organization-defined tests] to determine the incident response effectiveness and documents the results.

Enhancements

The controls below (if any) add on to the requirements of CP-4.

Control	Description
CP-4(1)	The organization coordinates contingency plan testing with organizational elements responsible for related plans.
CP-4(2)	The organization tests the contingency plan at the alternate processing site: (a): To familiarize contingency personnel with the facility and available resources; and (b): To evaluate the capabilities of the alternate processing site to support contingency operations.
CP-4(3)	The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan.
CP-4(4)	The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing.

Related CCIs

The CCIs below are tied to CP-4.

CCI	Definition
CCI-000490	Defines the frequency with which to test the contingency plan for the system.
CCI-000492	Defines the contingency plan tests to be conducted for the system.
CCI-000494	Test the contingency plan for the system in accordance with organization-defined frequency using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan.
CCI-000496	Review the contingency plan test results.
CCI-000497	Initiate corrective actions, if needed, after reviewing the contingency plan test results.