Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/CP/Moderate

Template:Doc:NIST SP 800-53r3 Appendix F/CP-1

Determine if: (i) the organization develops and formally documents contingency planning policy; (ii) the organization contingency planning policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented contingency planning policy to elements within the organization having associated contingency planning roles and responsibilities; (iv) the organization develops and formally documents contingency planning procedures; (v) the organization contingency planning procedures facilitate implementation of the contingency planning policy and associated contingency planning controls; and (vi) the organization disseminates formal documented contingency planning procedures to elements within the organization having associated contingency planning roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with contingency planning responsibilities].

Determine if: (i) the organization defines the frequency of contingency planning policy reviews/updates; (ii) the organization reviews/updates contingency planning policy in accordance with organization-defined frequency; (iii) the organization defines the frequency of contingency planning procedure reviews/updates; and (iv) the organization reviews/updates contingency planning procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with contingency planning responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-2

Determine if: (i) the organization develops a contingency plan for the information system that: identifies essential missions and business functions and associated contingency requirements; provides recovery objectives, restoration priorities, and metrics; addresses contingency roles, responsibilities, assigned individuals with contact information; addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; and addresses eventual, full information system restoration without deterioration of the security measures originally planned and implemented; and is reviewed and approved by designated officials within the organization; (ii) the organization defines key contingency personnel (identified by name and/or by role) and organizational elements designated to receive copies of the contingency plan; and (iii) the organization distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; security plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].

Determine if: (i) the organization coordinates contingency planning activities with incident handling activities: (ii) the organization defines the frequency of contingency plan reviews; (iii) the organization reviews the contingency plan for the information system in accordance with the organization-defined frequency; (iv) the organization revises the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution or testing; and (v) the organization communicates contingency plan changes to the key contingency personnel and organizational elements as identified in CP-2.1 (ii).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; security plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with incident handling responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-2/1

Determine if the organization coordinates the contingency plan development with other organizational elements responsible for related plans.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; other related plans; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities and responsibilities in related plan areas].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-3

Determine if: (i) the organization provides initial contingency training to personnel with contingency roles and responsibilities with respect to the information system; (ii) the organization defines the frequency of refresher contingency training; and (iii) the organization provides refresher training in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency training; contingency training curriculum; contingency training material; security plan; contingency training records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and training responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-4

Determine if: (i) the organization defines the contingency plan tests and/or exercises to be conducted; (ii) the organization defines the frequency of contingency plan tests and/or exercises; (iii) the organization tests/exercises the contingency plan using organization-defined tests/exercises in accordance with organization-defined frequency; and (iv) the organization reviews the contingency plan test/exercise results and takes corrective actions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan, procedures addressing contingency plan testing and exercises; security plan; contingency plan testing and/or exercise documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for reviewing or responding to contingency plan tests/exercises].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-4/1

Determine if the organization coordinates contingency plan testing and/or exercises with organizational elements responsible for related plans.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency plan testing and exercises; contingency plan testing and/or exercise documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and testing responsibilities; organizational personnel with responsibilities for related plans].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-6

Determine if : (i) the organization establishes an alternate storage site; and (ii) the organization initiates necessary alternate storage site agreements to permit the storage and recovery of information system backup information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate storage site agreements; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-6/1

Determine if: (i) the contingency plan identifies the primary storage site hazards; and (ii) the alternate storage site is separated from the primary storage site so as not to be susceptible to the same hazards identified at the primary site.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate storage site; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-6/3

Determine if: (i) the organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster; and (ii) the organization outlines explicit mitigation actions for organization identified accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate storage site; mitigation actions for accessibility problems to the alternate storage site; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-7

Determine if: (i) the organization establishes an alternate processing site; (ii) the organization defines the time period for achieving the recovery time objectives within which processing must be resumed at the alternate processing site; (iii) the organization includes necessary alternate processing site agreements to permit the resumption of information system operations for essential missions and business functions within organization-defined time period; and (iv) the equipment and supplies required to resume operations are available at the alternate site or contracts are in place to support delivery to the site in time to support the organization-defined time period for resumption.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site agreements; security plan; spare equipment and supplies at alternate processing site; equipment and supply contracts; service level agreements; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-7/1

Determine if: (i) the contingency plan identifies the primary processing site hazards; and (ii) the alternate processing site is separated from the primary processing site so as not to be susceptible to the same hazards identified at the primary site.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-7/2

Determine if: (i) the organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster; and (ii) the organization outlines explicit mitigation actions for organization identified accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-7/3

Determine if the organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with the organization's availability requirements.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site agreements; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-7/5

Determine if the alternate processing site provides information security measures equivalent to that of the primary site.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-8

Determine if: (i) the organization establishes alternate telecommunications services to support the information system; (ii) the organization defines in the time period within which resumption of information system operations must take place; and (iii) the organization establishes necessary alternate telecommunications service agreements to permit the resumption of telecommunications services for essential missions and business functions within the organization-defined time period when the primary telecommunications capabilities are unavailable.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; security plan; primary and alternate telecommunications service agreements; list of essential missions and business functions; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-8/1

Determine if: (i) the organization develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements; and (ii) the organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; primary and alternate telecommunications service agreements; Telecommunications Service Priority documentation; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-8/2

Determine if the organization obtains alternate telecommunications services with consideration for reducing the likelihood of sharing a single point of failure with primary telecommunications services.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; primary and alternate telecommunications service agreements; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; telecommunications service providers].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-9

Determine if: (i) the organization defines the frequency of conducting user-level information backups to support recovery time objectives and recovery point objectives; (ii) the organization defines the frequency of conducting system-level information backups to support recovery time objectives and recovery point objectives; (iii) the organization defines the frequency of conducting information system documentation backups (including security-related information) to support recovery time objectives and recovery point objectives; (iv) the organization backs up user-level information in accordance with the organization-defined frequency; (v) the organization backs up system-level information in accordance with the organization-defined frequency; and (vi) the organization backs up information system documentation in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; security plan; backup storage location(s); information system backup logs or records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system backup responsibilities].

Determine if the organization protects the confidentiality and integrity of backup information at the storage location.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; information system design documentation; information system configuration settings and associated documentation; backup storage location(s); other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system backup responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-9/1

Determine if: (i) the organization defines the frequency of information system backup testing; and (ii) the organization conducts information system backup testing in accordance with organization-defined frequency to verify backup media reliability and information integrity.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; security plan; information system backup test results; backup storage location(s); other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-10

Determine if the organization provides automated mechanisms and/or manual procedures for the recovery and reconstitution of the information system to known state after a disruption, compromise, or failure.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; information system configuration settings and associated documentation; information system design documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms and/or manual procedures for implementing information system recovery and reconstitution operations].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-10/2

Determine if the information system implements transaction recovery for systems that are transaction-based.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; information system design documentation; information system configuration settings and associated documentation; contingency plan test results; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing transaction recovery capability].

Template:Doc:NIST SP 800-53r3 Appendix F/CP-10/3

Determine if: (i) the organization defines in the security plan, explicitly or by reference, the circumstances that can inhibit recovery and reconstitution of the information system to a known state; and (ii) the organization provides compensating security controls for organization-defined circumstances that can inhibit recovery and reconstitution of the information system to a known state.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; contingency plan test procedures; security plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system recovery and reconstitution responsibilities].