home || catalog: SP800-53rev3 / class: Operational / family: (CP) Contingency Planning ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP

CP-01
CP-02
CP-03
CP-04
CP-05
CP-06
CP-07
CP-08
CP-09
CP-10 *

IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  CP-10: Information System Recovery and Reconstitution  

base control objective:
The organization provides for the recovery and reconstitution of the information system to a known [Selection: secure; safe] state after a disruption, compromise, or failure.

supplemental objective information:
Recovery and reconstitution to a known secure state means that all system parameters (default or organization-established) are set to secure values, security-critical patches are reinstalled, security-related configuration settings are reestablished, system documentation and operating procedures are available, application and system software is reinstalled and configured with secure settings, information from the most recent, known secure backups is loaded, and the system is fully tested. The information system recovery and reconstitution capability employed by the organization is based on organizational priorities, established recovery point/time and reconstitution objectives, and appropriate metrics. The recovery and reconstitution includes the deactivation of any information systems located at the relocation site. Deactivation is the process of finalizing the system recovery and validation operations and includes the necessary activities to prepare the system against another outage or disruption. The recovery and reconstitution capability employed by the organization can be a combination of automated mechanisms and manual procedures.

enhancements to the base objective:

(1) Withdrawn: Incorporated into CP-04.

(2) The information system implements transaction recovery for systems that are transaction-based.
Enhancement Supplemental Guidance: Database management systems and transaction processing systems are examples of information systems that are transaction-based. Transaction rollback and transaction journaling are examples of mechanisms supporting transaction recovery.

(3) The organization provides compensating security controls for [Assignment: organization-defined circumstances that can inhibit recovery and reconstitution to a known, secure state].

(4) The organization provides the capability to re-image information system components in accordance with [Assignment: organization-defined restoration time-periods] from configuration controlled and integrity protected disk images representing a secure, operational state for the components.

(5) The organization provides [Selection: real time; near-real-time] [Assignment: organization-defined failover capability for the information system].
Enhancement Supplemental Guidance: Examples of failover capability are incorporating mirrored information system operations at an alternate processing site or periodic data mirroring at regular intervals during a time period defined by the organizations restoration time period.

(6) The organization protects backup and restoration hardware, firmware, and software.
Enhancement Supplemental Guidance: Protection of backup and restoration hardware, firmware, and software includes both physical and technical measures. Router tables, compilers, and other security-relevant system software are examples of backup and restoration software.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (2) (3)     HIGH: base (2) (3) (4)  

related (regimented) controls:

SC-24   Fail in Known State

documents referenced in SP800-53rev3 for CP-10:

Document Date Status Title
NIST SP800-21 December, 2005 current   Guideline for Implementing Cryptography in the Federal Government
NIST SP800-24 August, 2000 current   PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
NIST SP800-34 May, 2010 current   Contingency Planning Guide for Information Technology Systems
NIST SP800-44 September 2002 current   Guidelines on Securing Public Web Servers
NIST SP800-57, part1 August, 2005 current   Recommendation for Key Management, part 1
NIST SP800-57, part2 August, 2005 current   Recommendation for Key Management, part 2
NIST SP800-83 September, 2006 current   Guide to Malware Incident Prevention and Handling
NIST SP800-98 September, 2006 DRAFT   Guidelines for Securing Radio Frequency Identification (RFID) Systems

Search SP800-53rev3 catalog: