home || catalog: SP800-53rev3 / class: Operational / family: (CP) Contingency Planning ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP

CP-01
CP-02 *
CP-03
CP-04
CP-05
CP-06
CP-07
CP-08
CP-09
CP-10

IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  CP-02: Contingency Plan  

base control objective:
The organization:
a. Develops a contingency plan for the information system that: - Identifies essential missions and business functions and associated contingency requirements; - Provides restoration priorities and metrics; - Addresses contingency roles, responsibilities, assigned individuals with contact information; - Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; - Addresses eventual, full information system restoration without deterioration of the security measures originally planned; - Is reviewed and approved by designated officials within the organization;
b. Distributes copies of the contingency plan to [Assignment: organization-defined list of key contingency personnel and organizational elements, identified by name and/or by role]; and
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency];
e. Revises the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; and
f. Communicates contingency plan changes to [Assignment: organization-defined list of key contingency personnel and organizational elements, identified by name and/or by role].

supplemental objective information:
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business operations. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. Information system recovery objectives are consistent with applicable laws, Executive Orders, directives, policies, standards, or regulations. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission/business effectiveness, such as malicious attacks compromising the confidentiality or integrity of the information system. Examples of actions to call out in contingency plans include, for example, graceful degradation, information system shutdown, fall back to a manual mode, alternate information flows, or operating in a mode that is reserved solely for when the system is under attack.

enhancements to the base objective:

(1) The organization coordinates contingency plan development with organizational elements responsible for related plans.
Enhancement Supplemental Guidance: Examples of related plans include Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Crisis Communications Plan, Critical Infrastructure Plan, Cyber Incident Response Plan, and Occupant Emergency Plan.

(2) The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

(3) The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.

(4) The organization plans for the full resumption of missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.

(5) The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites.

(6) The organization provides for the transfer of all essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through restoration to primary processing and/or storage sites. The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (1)     HIGH: base (1) (2) (3)  

related (regimented) controls:

AC-14   Permitted Actions without Identification or Authentication
CP-06   Alternate Storage Site
CP-07   Alternate Processing Site
CP-08   Telecommunications Services
IR-04   Incident Handling
PM-08   Critical Infrastructure Plan

documents referenced in SP800-53rev3 for CP-02:

Document Date Status Title
NIST SP800-12 October, 1995 current   An Introduction to Computer Security: The NIST Handbook
NIST SP800-14 September, 1996 current   Generally Accepted Principles and Practices for Securing Information Technology Systems
NIST SP800-34 May, 2010 current   Contingency Planning Guide for Information Technology Systems
NIST SP800-66 October, 2008 current   An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NIST SP800-82 June, 2011 current   Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security

Search SP800-53rev3 catalog: