Contingency planning

Estimated reading time: 13 minutes

CP-1 Contingency Planning Policy And Procedures

Description

The organization:

  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
  2. Reviews and updates the current:
    1. Contingency planning policy [Assignment: organization-defined frequency]; and
    2. Contingency planning procedures [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

CP-2 Contingency Plan

Description

The organization:

  1. Develops a contingency plan for the information system that:
    1. Identifies essential missions and business functions and associated contingency requirements;
    2. Provides recovery objectives, restoration priorities, and metrics;
    3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
    4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
    5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
    6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
  2. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
  3. Coordinates contingency planning activities with incident handling activities;
  4. Reviews the contingency plan for the information system [Assignment: organization-defined frequency];
  5. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
  6. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
  7. Protects the contingency plan from unauthorized disclosure and modification.

Control Information

Responsible role(s) - Organization

Description

The organization coordinates contingency plan development with organizational elements responsible for related plans.

Control Information

Responsible role(s) - Organization

CP-2 (2) Capacity Planning

Description

The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

Control Information

Responsible role(s) - Organization

CP-2 (3) Resume Essential Missions / Business Functions

Description

The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.

Control Information

Responsible role(s) - Organization

CP-2 (4) Resume All Missions / Business Functions

Description

The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.

Control Information

Responsible role(s) - Organization

CP-2 (5) Continue Essential Missions / Business Functions

Description

The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites.

Control Information

Responsible role(s) - Organization

CP-2 (6) Alternate Processing / Storage Site

Description

The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites.

Control Information

Responsible role(s) - Organization

CP-2 (7) Coordinate With External Service Providers

Description

The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.

Control Information

Responsible role(s) - Organization

CP-2 (8) Identify Critical Assets

Description

The organization identifies critical information system assets supporting essential missions and business functions.

Control Information

Responsible role(s) - Organization

CP-3 Contingency Training

Description

The organization provides contingency training to information system users consistent with assigned roles and responsibilities:

  1. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
  2. When required by information system changes; and
  3. [Assignment: organization-defined frequency] thereafter.

Control Information

Responsible role(s) - Organization

CP-3 (1) Simulated Events

Description

The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.

Control Information

Responsible role(s) - Organization

CP-3 (2) Automated Training Environments

Description

The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment.

Control Information

Responsible role(s) - Organization

CP-4 Contingency Plan Testing

Description

The organization:

  1. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
  2. Reviews the contingency plan test results; and
  3. Initiates corrective actions, if needed.

Control Information

Responsible role(s) - Organization

Description

The organization coordinates contingency plan testing with organizational elements responsible for related plans.

Control Information

Responsible role(s) - Organization

CP-4 (2) Alternate Processing Site

Description

The organization tests the contingency plan at the alternate processing site:

  1. To familiarize contingency personnel with the facility and available resources; and
  2. To evaluate the capabilities of the alternate processing site to support contingency operations.

Control Information

Responsible role(s) - Organization

CP-4 (3) Automated Testing

Description

The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan.

Control Information

Responsible role(s) - Organization

CP-4 (4) Full Recovery / Reconstitution

Description

The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing.

Control Information

Responsible role(s) - Organization

CP-6 Alternate Storage Site

Description

The organization:

  1. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
  2. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.

Control Information

Responsible role(s) - Organization

CP-6 (1) Separation From Primary Site

Description

The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.

Control Information

Responsible role(s) - Organization

CP-6 (2) Recovery Time / Point Objectives

Description

The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

Control Information

Responsible role(s) - Organization

CP-6 (3) Accessibility

Description

The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

Control Information

Responsible role(s) - Organization

CP-7 Alternate Processing Site

Description

The organization:

  1. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
  2. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
  3. Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.

Control Information

Responsible role(s) - Organization

CP-7 (1) Separation From Primary Site

Description

The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.

Control Information

Responsible role(s) - Organization

CP-7 (2) Accessibility

Description

The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

Control Information

Responsible role(s) - Organization

CP-7 (3) Priority Of Service

Description

The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).

Control Information

Responsible role(s) - Organization

CP-7 (4) Preparation For Use

Description

The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions.

Control Information

Responsible role(s) - Organization

CP-7 (6) Inability To Return To Primary Site

Description

The organization plans and prepares for circumstances that preclude returning to the primary processing site.

Control Information

Responsible role(s) - Organization

CP-8 Telecommunications Services

Description

The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

Control Information

Responsible role(s) - Organization

CP-8 (1) Priority Of Service Provisions

Description

The organization:

  1. Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and
  2. Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.

Control Information

Responsible role(s) - Organization

CP-8 (2) Single Points Of Failure

Description

The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

Control Information

Responsible role(s) - Organization

CP-8 (3) Separation Of Primary / Alternate Providers

Description

The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

Control Information

Responsible role(s) - Organization

CP-8 (4) Provider Contingency Plan

Description

The organization:

  1. Requires primary and alternate telecommunications service providers to have contingency plans;
  2. Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
  3. Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

CP-8 (5) Alternate Telecommunication Service Testing

Description

The organization tests alternate telecommunication services [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

CP-9 Information System Backup

Description

The organization:

  1. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
  2. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
  3. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
  4. Protects the confidentiality, integrity, and availability of backup information at storage locations.

Control Information

Responsible role(s) - Organization

CP-9 (1) Testing For Reliability / Integrity

Description

The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.

Control Information

Responsible role(s) - Organization

CP-9 (2) Test Restoration Using Sampling

Description

The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.

Control Information

Responsible role(s) - Organization

CP-9 (3) Separate Storage For Critical Information

Description

The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.

Control Information

Responsible role(s) - Organization

CP-9 (5) Transfer To Alternate Storage Site

Description

The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives].

Control Information

Responsible role(s) - Organization

CP-9 (6) Redundant Secondary System

Description

The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.

Control Information

Responsible role(s) - Organization

CP-9 (7) Dual Authorization

Description

The organization enforces dual authorization for the deletion or destruction of [Assignment: organization-defined backup information].

Control Information

Responsible role(s) - Organization

CP-10 Information System Recovery And Reconstitution

Description

The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.

Control Information

Responsible role(s) - Organization

CP-10 (2) Transaction Recovery

Description

The information system implements transaction recovery for systems that are transaction-based.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) none
Docker EE system
Universal Control Plane (UCP) none
Docker EE system

Implementation Details

Docker Trusted Registry maintains its cluster state via an internal key-value store. This, and other DTR transactions can be backed up and recovered. Additional information can be found at the following resources:
Universal Control Plane maintains its cluster state via an internal key-value store. This, and other UCP transactions can be backed up and recovered. Additional information can be found at the following resources:

CP-10 (4) Restore Within Time Period

Description

The organization provides the capability to restore information system components within [Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components.

Control Information

Responsible role(s) - Organization

CP-10 (6) Component Protection

Description

The organization protects backup and restoration hardware, firmware, and software.

Control Information

Responsible role(s) - Organization

CP-11 Alternate Communications Protocols

Description

The information system provides the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations.

Control Information

Responsible role(s) - Organization

CP-12 Safe Mode

Description

The information system, when [Assignment: organization-defined conditions] are detected, enters a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation].

Control Information

Responsible role(s) - Organization

CP-13 Alternative Security Mechanisms

Description

The organization employs [Assignment: organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised.

Control Information

Responsible role(s) - Organization

standards, compliance, security, 800-53, Contingency planning