Navigate

CP-4

CP-4: Contingency Plan Testing

a: Test the contingency plan for the system [frequency of testing the contingency plan for the system is defined;] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [one of ].

b: Review the contingency plan test results; and

c: Initiate corrective actions, if needed.

Supplemental

Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	low

Overlays
DAF Baseline

CSF Categories
ID.SC-5, PR.IP-10, PR.IP-4, PR.IP-7

Related Controls

The controls below (if any) were marked by NIST as being related to CP-4.

Control	Description
AT-3	a: Provide role-based security and privacy training to personnel with the following roles and responsibilities: [one of ]: 1: Before authorizing access to the system, information, or performing assigned duties, and [the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;] thereafter; and 2: When required by system changes; b: Update role-based training content [the frequency at which to update role-based training content is defined;] and following [events that require role-based training content to be updated are defined;] ; and c: Incorporate lessons learned from internal or external security incidents or breaches into role-based training.
CP-2	a: Develop a contingency plan for the system that: 1: Identifies essential mission and business functions and associated contingency requirements; 2: Provides recovery objectives, restoration priorities, and metrics; 3: Addresses contingency roles, responsibilities, assigned individuals with contact information; 4: Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5: Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6: Addresses the sharing of contingency information; and 7: Is reviewed and approved by [one of ]; b: Distribute copies of the contingency plan to [one of ]; c: Coordinate contingency planning activities with incident handling activities; d: Review the contingency plan for the system [frequency of contingency plan review is defined;]; e: Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f: Communicate contingency plan changes to [one of ]; g: Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and h: Protect the contingency plan from unauthorized disclosure and modification.
CP-3	a: Provide contingency training to system users consistent with assigned roles and responsibilities: 1: Within [the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;] of assuming a contingency role or responsibility; 2: When required by system changes; and 3: [frequency at which to provide training to system users with a contingency role or responsibility is defined;] thereafter; and b: Review and update contingency training content [frequency at which to review and update contingency training content is defined;] and following [events necessitating review and update of contingency training are defined;].
CP-8	Establish alternate telecommunications services, including necessary agreements to permit the resumption of [system operations to be resumed for essential mission and business functions are defined;] for essential mission and business functions within [time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined;] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CP-9	a: Conduct backups of user-level information contained in [system components for which to conduct backups of user-level information is defined;] [frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;]; b: Conduct backups of system-level information contained in the system [frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;]; c: Conduct backups of system documentation, including security- and privacy-related documentation [frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;] ; and d: Protect the confidentiality, integrity, and availability of backup information.
IR-3	Test the effectiveness of the incident response capability for the system [frequency at which to test the effectiveness of the incident response capability for the system is defined;] using the following tests: [tests used to test the effectiveness of the incident response capability for the system are defined;].
IR-4	a: Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; b: Coordinate incident handling activities with contingency planning activities; c: Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d: Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.
PL-2	a: Develop security and privacy plans for the system that: 1: Are consistent with the organization’s enterprise architecture; 2: Explicitly define the constituent system components; 3: Describe the operational context of the system in terms of mission and business processes; 4: Identify the individuals that fulfill system roles and responsibilities; 5: Identify the information types processed, stored, and transmitted by the system; 6: Provide the security categorization of the system, including supporting rationale; 7: Describe any specific threats to the system that are of concern to the organization; 8: Provide the results of a privacy risk assessment for systems processing personally identifiable information; 9: Describe the operational environment for the system and any dependencies on or connections to other systems or system components; 10: Provide an overview of the security and privacy requirements for the system; 11: Identify any relevant control baselines or overlays, if applicable; 12: Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; 13: Include risk determinations for security and privacy architecture and design decisions; 14: Include security- and privacy-related activities affecting the system that require planning and coordination with [individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;] ; and 15: Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. b: Distribute copies of the plans and communicate subsequent changes to the plans to [personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;]; c: Review the plans [frequency to review system security and privacy plans is defined;]; d: Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and e: Protect the plans from unauthorized disclosure and modification.
PM-14	a: Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1: Are developed and maintained; and 2: Continue to be executed; and b: Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
SR-2	a: Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: [systems, system components, or system services for which a supply chain risk management plan is developed are defined;]; b: Review and update the supply chain risk management plan [the frequency at which to review and update the supply chain risk management plan is defined;] or as required, to address threat, organizational or environmental changes; and c: Protect the supply chain risk management plan from unauthorized disclosure and modification.

Enhancements

The controls below (if any) add on to the requirements of CP-4.

Control	Description
CP-4(1)	Coordinate contingency plan testing with organizational elements responsible for related plans.
CP-4(2)	Test the contingency plan at the alternate processing site: (a): To familiarize contingency personnel with the facility and available resources; and (b): To evaluate the capabilities of the alternate processing site to support contingency operations.
CP-4(3)	Test the contingency plan using [automated mechanisms for contingency plan testing are defined;].
CP-4(4)	Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing.
CP-4(5)	Employ [mechanisms employed to disrupt and adversely affect the system or system component are defined;] to [system or system component on which to apply disruption mechanisms are defined;] to disrupt and adversely affect the system or system component.

Related CCIs

The CCIs below are tied to CP-4.

CCI	Definition
CCI-000490	Defines the frequency with which to test the contingency plan for the system.
CCI-000492	Defines the contingency plan tests to be conducted for the system.
CCI-000494	Test the contingency plan for the system in accordance with organization-defined frequency using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan.
CCI-000496	Review the contingency plan test results.
CCI-000497	Initiate corrective actions, if needed, after reviewing the contingency plan test results.