NIST SP 800-53A
.pdf
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: CONTINGENCY PLANNING |
CLASS: OPERATIONAL |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
CP-2 |
CONTINGENCY PLAN |
|
|
|
|
|
|
CP-2.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if: |
|
|
|
(i) |
the organization develops a contingency plan for the information system that: |
|
|
|
- identifies essential missions and business functions and associated contingency |
|
|
|
requirements; |
|
|
|
- provides recovery objectives, restoration priorities, and metrics; |
|
|
|
- addresses contingency roles, responsibilities, assigned individuals with contact |
|
|
|
information; |
|
|
|
- addresses maintaining essential missions and business functions despite an |
|
|
|
information system disruption, compromise, or failure; and |
|
|
|
- addresses eventual, full information system restoration without deterioration of |
|
|
|
the security measures originally planned and implemented; and |
|
|
|
- is reviewed and approved by designated officials within the organization; |
|
|
(ii) |
the organization defines key contingency personnel (identified by name and/or by |
|
|
|
role) and organizational elements designated to receive copies of the contingency |
|
|
|
plan; and |
|
|
(iii) |
the organization distributes copies of the contingency plan to organization-defined |
|
|
|
key contingency personnel and organizational elements. |
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
|
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations |
||
|
|
for the information system; contingency plan; security plan; other relevant documents or |
|
|
|
records]. |
|
|
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan |
||
|
|
implementation responsibilities]. |
|
|
|
|
|
CP-2.2 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if: |
|
|
|
(i) |
the organization coordinates contingency planning activities with incident handling |
|
|
|
activities: |
|
|
(ii) |
the organization defines the frequency of contingency plan reviews; |
|
|
(iii) |
the organization reviews the contingency plan for the information system in |
|
|
|
accordance with the organization-defined frequency; |
|
|
(iv) |
the organization revises the contingency plan to address changes to the |
|
|
|
organization, information system, or environment of operation and problems |
|
|
|
encountered during contingency plan implementation, execution or testing; and |
|
|
(v) |
the organization communicates contingency plan changes to the key contingency |
|
|
|
personnel and organizational elements as identified in CP-2.1 (ii). |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; security plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with incident handling responsibilities].
APPENDIX F-CP |
PAGE F-111 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
CP-2(1) CONTINGENCY PLAN
CP-2(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization coordinates the contingency plan development with other organizational elements responsible for related plans.
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; other related plans; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities and responsibilities in related plan areas].
CP-2(2) CONTINGENCY PLAN
CP-2(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; capacity planning documents; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].
CP-2(3) CONTINGENCY PLAN
CP-2(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization defines the time period for planning the resumption of essential missions and business functions as a result of contingency plan activation; and
(ii)the organization plans for the resumption of essential missions and business function within organization-defined time period of contingency plan activation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; security plan; business impact assessment; other related plans; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].
APPENDIX F-CP |
PAGE F-112 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
CP-2(4) CONTINGENCY PLAN
CP-2(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization defines the time period for planning the full resumption of affected missions and business functions as a result of contingency plan activation; and
(ii)the organization plans for the full resumption of affected missions and business functions within organization-defined time period of contingency plan activation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; security plan; business impact assessment; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].
CP-2(5) CONTINGENCY PLAN
CP-2(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity; and
(ii)the organization sustains operational continuity until full information system restoration at primary processing and/or storage sites.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; business impact assessment; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].
CP-2(6) CONTINGENCY PLAN
CP-2(6).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization provides for the transfer of all essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity; and
(ii)the organization sustains operational continuity through restoration to primary processing and/or storage sites.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; alternate processing site agreements; alternate storage site agreements; contingency plan testing and/or exercise documentation; contingency plan test results; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].
APPENDIX F-CP |
PAGE F-113 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: CONTINGENCY PLANNING |
CLASS: OPERATIONAL |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
CP-3 |
CONTINGENCY TRAINING |
|
|
|
|
|
|
CP-3.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if: |
|
|
|
(i) |
the organization provides initial contingency training to personnel with contingency |
|
|
|
roles and responsibilities with respect to the information system; |
|
|
(ii) |
the organization defines the frequency of refresher contingency training; and |
|
|
(iii) |
the organization provides refresher training in accordance with organization- |
|
|
|
defined frequency. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency training; contingency training curriculum; contingency training material; security plan; contingency training records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and training responsibilities].
CP-3(1) CONTINGENCY TRAINING
CP-3(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization incorporates simulated events into contingency training; and
(ii)the incorporation of simulated events into contingency training facilitates effective response by personnel in crisis situations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency training; contingency training curriculum; contingency training material; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and training responsibilities].
CP-3(2) CONTINGENCY TRAINING
CP-3(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms that provide a more thorough and realistic contingency training environment.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency training; automated mechanisms supporting contingency training; contingency training curriculum; contingency training material; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and training responsibilities].
APPENDIX F-CP |
PAGE F-114 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: CONTINGENCY PLANNING |
CLASS: OPERATIONAL |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
CP-4 |
CONTINGENCY PLAN TESTING AND EXERCISES |
|
|
|
|
|
|
CP-4.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if: |
|
|
|
(i) |
the organization defines the contingency plan tests and/or exercises to be conducted; |
|
|
(ii) |
the organization defines the frequency of contingency plan tests and/or exercises; |
|
|
(iii) |
the organization tests/exercises the contingency plan using organization-defined |
|
|
|
tests/exercises in accordance with organization-defined frequency; and |
|
|
(iv) |
the organization reviews the contingency plan test/exercise results and takes |
|
|
|
corrective actions. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan, procedures addressing contingency plan testing and exercises; security plan; contingency plan testing and/or exercise documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for reviewing or responding to contingency plan tests/exercises].
CP-4(1) CONTINGENCY PLAN TESTING AND EXERCISES
CP-4(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization coordinates contingency plan testing and/or exercises with organizational elements responsible for related plans.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency plan testing and exercises; contingency plan testing and/or exercise documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and testing responsibilities; organizational personnel with responsibilities for related plans].
CP-4(2) CONTINGENCY PLAN TESTING AND EXERCISES
CP-4(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization conducts contingency plan testing/exercises at the alternate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site’s capabilities to support contingency operations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan, procedures addressing contingency plan testing and exercises; contingency plan testing and/or exercise documentation; contingency plan test results; other relevant documents or records].
APPENDIX F-CP |
PAGE F-115 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
CP-4(3) CONTINGENCY PLAN TESTING AND EXERCISES
CP-4(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to more thoroughly and effectively test/exercise the contingency plan by providing more complete coverage of contingency issues, selecting more realistic test/exercise scenarios and environments, and more effectively stressing the information system and supported missions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency plan testing and exercises; automated mechanisms supporting contingency plan testing/exercises; contingency plan testing and/or exercise documentation; other relevant documents or records].
CP-4(4) CONTINGENCY PLAN TESTING AND EXERCISES
CP-4(4).1 ASSESSMENT OBJECTIVE:
Determine if the organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; contingency plan testing and/or exercise documentation; contingency plan test results; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system recovery and reconstitution responsibilities; organizational personnel with contingency plan testing and/or exercise responsibilities].
APPENDIX F-CP |
PAGE F-116 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: CONTINGENCY PLANNING |
CLASS: OPERATIONAL |
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
CP-5 |
CONTINGENCY PLAN UPDATE |
|
|
[Withdrawn: Incorporated into CP-2]. |
|
|
|
|
CP-5.1 |
ASSESSMENT OBJECTIVE: |
|
|
[Withdrawn: Incorporated into CP-2]. |
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
[Withdrawn: Incorporated into CP-2]. |
|
|
|
|
CP-5.2 |
ASSESSMENT OBJECTIVE: |
|
|
[Withdrawn: Incorporated into CP-2]. |
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
[Withdrawn: Incorporated into CP-2]. |
|
|
|
|
APPENDIX F-CP |
PAGE F-117 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: CONTINGENCY PLANNING |
CLASS: OPERATIONAL |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
CP-6 |
ALTERNATE STORAGE SITE |
|
|
|
|
|
|
CP-6.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if : |
|
|
|
(i) |
the organization establishes an alternate storage site; and |
|
|
(ii) |
the organization initiates necessary alternate storage site agreements to permit the |
|
|
|
storage and recovery of information system backup information. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate storage site agreements; other relevant documents or records].
CP-6(1) ALTERNATE STORAGE SITE
CP-6(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the contingency plan identifies the primary storage site hazards; and
(ii)the alternate storage site is separated from the primary storage site so as not to be susceptible to the same hazards identified at the primary site.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate storage site; other relevant documents or records].
CP-6(2) ALTERNATE STORAGE SITE
CP-6(2).1 ASSESSMENT OBJECTIVE:
Determine if the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives and recovery point objectives.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate storage site agreements; alternate storage site; other relevant documents or records].
APPENDIX F-CP |
PAGE F-118 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
CP-6(3) |
ALTERNATE STORAGE SITE |
|
|
|
|
CP-6(3).1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if: |
|
|
(i) |
the organization identifies potential accessibility problems to the alternate storage |
|
|
site in the event of an area-wide disruption or disaster; and |
|
(ii) |
the organization outlines explicit mitigation actions for organization identified |
|
|
accessibility problems to the alternate storage site in the event of an area-wide |
|
|
disruption or disaster. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing |
|
|
|
alternate storage sites; alternate storage site; mitigation actions for accessibility problems to |
|
|
the alternate storage site; other relevant documents or records]. |
|
|
|
APPENDIX F-CP |
PAGE F-119 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: CONTINGENCY PLANNING |
CLASS: OPERATIONAL |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
CP-7 |
ALTERNATE PROCESSING SITE |
|
|
|
|
|
|
CP-7.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if: |
|
|
|
(i) |
the organization establishes an alternate processing site; |
|
|
(ii) |
the organization defines the time period for achieving the recovery time objectives |
|
|
|
within which processing must be resumed at the alternate processing site; |
|
|
(iii) |
the organization includes necessary alternate processing site agreements to permit |
|
|
|
the resumption of information system operations for essential missions and business |
|
|
|
functions within organization-defined time period; and |
|
|
(iv) |
the equipment and supplies required to resume operations are available at the |
|
|
|
alternate site or contracts are in place to support delivery to the site in time to |
|
|
|
support the organization-defined time period for resumption. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site agreements; security plan; spare equipment and supplies at alternate processing site; equipment and supply contracts; service level agreements; other relevant documents or records].
CP-7(1) ALTERNATE PROCESSING SITE
CP-7(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the contingency plan identifies the primary processing site hazards; and
(ii)the alternate processing site is separated from the primary processing site so as not to be susceptible to the same hazards identified at the primary site.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site; other relevant documents or records].
CP-7(2) ALTERNATE PROCESSING SITE
CP-7(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster; and
(ii)the organization outlines explicit mitigation actions for organization identified accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site; other relevant documents or records].
APPENDIX F-CP |
PAGE F-120 |