Program-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control. For additional information on the types of contingency plans, review the section in the DAA PM.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization:
Identify personnel responsible for Contingency Planning. This can be found in the approved System Security Plan. Contingency Planning Process and Procedures will be disseminated to appropriate personnel.
Create a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; (ODAA process manual and NIST 800-34 can be used as guidance) and Create procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The availability impact level drives the level of contingency required for the system. The Information System Contingency Plan (ISCP) may be either a separate document specific to the IS, included in the SSP, or may be incorporated into a broader site contingency plan, such as the Business Continuity Plan (BCP) or Continuity of Operations Plan (COOP). ISCP development is the responsibility of the ISO.
A key step in developing an ISCP is to conduct a Business Impact Analysis (BIA). The BIA enables the organization to characterize the system components, supported mission/business functions, and interdependencies. The BIA purpose is to correlate the system with the critical mission/business processes and services provided, and based on that information, characterize the consequences of a disruption. The organization can use the BIA results to determine contingency planning requirements and priorities. Results from the BIA can also be incorporated into the analysis and strategy development efforts for the organization’s COOP, BCPs, and DRP. The depth of planning and degree of detail in an ISCP is dependent on the mission criticality of each system should the system become unavailable. A simple statement as to how long a system can remain unavailable before it impacts the mission is the basic foundation of a BIA. The mission owner or ISO determine to what lengths the ISSM/ISSO should go to ensure a contingency plan is in place, e.g., relocation of users/team/crew, hot backup, warm backup, backup media stored offsite, no additional measures beyond backing up the data.
The plan must define and describe specific responsibilities of designated staff or positions to facilitate the recovery and/or continuity of essential system functions. The ISCP consists of a comprehensive description of all actions to be taken before, during, and after a disaster or emergency condition along with documented and tested procedures. The ISCP helps to ensure critical resources are available and facilitates the continuity of operations in an emergency situation.
The organization Develops a contingency plan that:
Identifies essential missions and business functions and associated contingency requirements;
Click here to enter text.
Provides recovery objectives, restoration priorities, and metrics;
Addresses contingency roles, responsibilities, assigned individuals with contact information;
Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
Coordinates contingency planning activities with incident handling activities
Click here to enter text.
Is reviewed and approved by ISSM/FSO annually
Click here to enter text.
Distributes copies of the contingency plan to all stakeholders identified in the contingency plan via an information sharing capability
Click here to enter text.
Coordinates contingency planning activities with incident handling activities;
Reviews the contingency plan for the information system atleastannually
Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation,execution, or testing;
Communicates contingency plan changes to stakeholders identified in the contingency plan; and
Click here to enter text.
Protects the contingency plan from unauthorized disclosure and modification
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization:
Tests the contingency plan for the information system annually using full scale contingency plan testing or functional/tabletop exercises to determine the effectiveness of the plan and the organizational readiness to execute the plan.
Click here to enter text.
Documents and reviews the contingency plan test/exercise results,
Initiates the corrective actions, if needed.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.11.5CP-7 – Alternate Processing Site (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
NOTE: CP-7 and CP-7(5) are normally only applicable for IS with an Availability Impact level of Moderate or High. The organization shall, as required:
Establish an alternate processing site including necessary agreements to permit the resumption of information system operations for essential mission/business functions. The organization will define the time period consistent with recovery time and recovery point objectives for essential mission/business functions to permit the transfer and redemption of organization-defined information system operations at an alternate processing site when the primary processing capabilities are unavailable.
Tailored out, low availability impact
Ensure that equipment and supplies required to resume operations are available at the alternate processing site or contracts are in place to support delivery to the site in time to support the organization-defined time period for resumption
Tailored out, low availability impact
Ensure that the alternate processing site provides information security safeguards equivalent to that of the primary site
Tailored out, low availability impact
Develop alternate processing site agreements (e.g., MOA/MOU) that contain priority-of-service provisions in accordance with the organization’s availability requirements
Tailored out, low availability impact
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.11.5.1CP-7 (5) – Alternate Processing Site: Equivalent Information Security Safeguards WITHDRAWN Incorporated Into CP-7
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The ISO shall develop backup plans for all information systems. Backup plans must be coordinated with the ISSM/ISSO and included in the ISCP. Backup plans should consider data-production rates and data-loss risks. The areas of risk that should be identified and planned for include, but are not limited to:
Loss of power.
Loss of network connectivity.
Loss or corruption of data.
Facility disruptions, such as loss of air conditioning, fire, flooding, etc.
Backup procedures should reflect the risk from media loss. If a hard disk were damaged, lost or contaminated in some way, the disk backups, coupled with periodic incremental backups between full backups, would allow for the restoration of the data. “Active backups” should be maintained for disks that contain often-used applications.
Backup information must be protected to ensure its confidentiality and integrity. Digital signatures and cryptographic hashes can be employed to protect the integrity of information system backups. Reference SC-13, Cryptographic Protection. An organizational assessment of risk guides the use of encryption for protecting backup information. Reference SC-28, Protection of Data at Rest.
The organization:
Conducts backups of user-level information contained in the information system weekly
Click here to enter text.
Conducts backups of system-level information in the information system weekly
Click here to enter text.
Conduct backups of information system documentation including security-related documentation when created or received, when updated, and as required by system baseline configuration changes in accordance with the contingency plan.
Click here to enter text.
Protects the confidentiality, integrity, and availability of backup information at storage locations
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.11.7CP-10 – Information System Recovery and Reconstitution
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.
Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures.
Organizations shall ensure all backup and restoration hardware, firmware and software are adequately protected.
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.