home || catalog: SP800-53rev3 / class: Operational / family: (CP) Contingency Planning ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP

CP-01
CP-02
CP-03
CP-04 *
CP-05
CP-06
CP-07
CP-08
CP-09
CP-10

IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  CP-04: Contingency Plan Testing and Exercises  

base control objective:
The organization:
a. Tests and/or exercises the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests and/or exercises] to determine the plan’s effectiveness and the organization’s readiness to execute the plan; and
b. Reviews the contingency plan test/exercise results and initiates corrective actions.

supplemental objective information:
There are several methods for testing and/or exercising contingency plans to identify potential weaknesses (e.g., checklist, walk-through/tabletop, simulation; parallel, full interrupt). Contingency plan testing and/or exercises include a determination of the effects on organizational operations and assets (e.g., reduction in mission capability) and individuals arising due to contingency operations in accordance with the plan.

enhancements to the base objective:

(1) The organization coordinates contingency plan testing and/or exercises with organizational elements responsible for related plans.
Enhancement Supplemental Guidance: Examples of related plans include Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Crisis Communications Plan, Critical Infrastructure Plan, Cyber Incident Response Plan, and Occupant Emergency Plan.

(2) The organization tests/exercises the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site’s capabilities to support contingency operations.

(3) The organization employs automated mechanisms to more thoroughly and effectively test/exercise the contingency plan by providing more complete coverage of contingency issues, selecting more realistic test/exercise scenarios and environments, and more effectively stressing the information system and supported missions.

(4) The organization includes a full recovery and reconstitution of the information system to a known [Selection: secure; safe] state as part of contingency plan testing.
Enhancement Supplemental Guidance:

mapping to FIPS199 baseline:

  LOW: base     MOD: base (1)     HIGH: base (1) (2) (4)  

related (regimented) controls:

CP-10   Information System Recovery and Reconstitution
SC-24   Fail in Known State

documents referenced in SP800-53rev3 for CP-04:

Document Date Status Title
FIPS 199 February, 2004 current   Standards for Security Categorization of Federal Information and Information Systems
NIST SP800-12 October, 1995 current   An Introduction to Computer Security: The NIST Handbook
NIST SP800-34 May, 2010 current   Contingency Planning Guide for Information Technology Systems
NIST SP800-56a March, 2006 current   Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography
NIST SP800-66 October, 2008 current   An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NIST SP800-84 September, 2006 current   Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities

Search SP800-53rev3 catalog: