compliance controls are associated with this Policy definition 'Communicate contingency plan changes' (a1334a65-2622-28ee-5067-9d7f5b915cc5)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
FedRAMP_High_R4 |
CP-2 |
FedRAMP_High_R4_CP-2 |
FedRAMP High CP-2 |
Contingency Planning |
Contingency Plan |
Shared |
n/a |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency];
e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification.
Supplemental Guidance: Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11.
References: Federal Continuity Directive 1; NIST Special Publication 800-34. |
link |
8 |
FedRAMP_Moderate_R4 |
CP-2 |
FedRAMP_Moderate_R4_CP-2 |
FedRAMP Moderate CP-2 |
Contingency Planning |
Contingency Plan |
Shared |
n/a |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency];
e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification.
Supplemental Guidance: Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11.
References: Federal Continuity Directive 1; NIST Special Publication 800-34. |
link |
8 |
hipaa |
1603.12c1Organizational.9-12.c |
hipaa-1603.12c1Organizational.9-12.c |
1603.12c1Organizational.9-12.c |
16 Business Continuity & Disaster Recovery |
1603.12c1Organizational.9-12.c 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Copies of the business continuity plans are distributed to key contingency personnel. |
|
5 |
hipaa |
1666.12d1Organizational.1235-12.d |
hipaa-1666.12d1Organizational.1235-12.d |
1666.12d1Organizational.1235-12.d |
16 Business Continuity & Disaster Recovery |
1666.12d1Organizational.1235-12.d 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
The organization creates, at a minimum, one business continuity plan and ensures each plan: (i) has an owner; (ii) describes the approach for continuity, ensuring at a minimum the approach to maintain information or information asset availability and security; and, (iii) specifies the escalation plan and the conditions for its activation, as well as the individuals responsible for executing each component of the plan. |
|
4 |
hipaa |
1667.12d1Organizational.4-12.d |
hipaa-1667.12d1Organizational.4-12.d |
1667.12d1Organizational.4-12.d |
16 Business Continuity & Disaster Recovery |
1667.12d1Organizational.4-12.d 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
When new requirements are identified, any existing emergency procedures (e.g., evacuation plans or fallback arrangements) are amended as appropriate. |
|
4 |
hipaa |
1671.12d2Organizational.2-12.d |
hipaa-1671.12d2Organizational.2-12.d |
1671.12d2Organizational.2-12.d |
16 Business Continuity & Disaster Recovery |
1671.12d2Organizational.2-12.d 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
The organization ensures business continuity matters are always timely addressed in its management of system changes. |
|
3 |
hipaa |
1672.12d2Organizational.3-12.d |
hipaa-1672.12d2Organizational.3-12.d |
1672.12d2Organizational.3-12.d |
16 Business Continuity & Disaster Recovery |
1672.12d2Organizational.3-12.d 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
The business continuity planning framework addresses the specific, minimal set of information security requirements as well as (i) temporary operational procedures to follow pending completion of recovery and restoration, and (ii) the responsibilities of the individuals, describing who is responsible for executing which component of the plan (alternatives are nominated as required). |
|
5 |
ISO27001-2013 |
A.17.1.1 |
ISO27001-2013_A.17.1.1 |
ISO 27001:2013 A.17.1.1 |
Information Security Aspects Of Business Continuity Management |
Planning information security continuity |
Shared |
n/a |
The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. |
link |
11 |
ISO27001-2013 |
A.17.1.2 |
ISO27001-2013_A.17.1.2 |
ISO 27001:2013 A.17.1.2 |
Information Security Aspects Of Business Continuity Management |
Implementing information security continuity |
Shared |
n/a |
The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. |
link |
18 |
ISO27001-2013 |
A.17.2.1 |
ISO27001-2013_A.17.2.1 |
ISO 27001:2013 A.17.2.1 |
Information Security Aspects Of Business Continuity Management |
Availability of information processing facilities |
Shared |
n/a |
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. |
link |
17 |
ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
|
mp.eq.3 Protection of portable devices |
mp.eq.3 Protection of portable devices |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
mp.eq.4 Other devices connected to the network |
mp.eq.4 Other devices connected to the network |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
|
mp.info.6 Backups |
mp.info.6 Backups |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
NIST_SP_800-53_R4 |
CP-2 |
NIST_SP_800-53_R4_CP-2 |
NIST SP 800-53 Rev. 4 CP-2 |
Contingency Planning |
Contingency Plan |
Shared |
n/a |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency];
e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification.
Supplemental Guidance: Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11.
References: Federal Continuity Directive 1; NIST Special Publication 800-34. |
link |
8 |
NIST_SP_800-53_R5 |
CP-2 |
NIST_SP_800-53_R5_CP-2 |
NIST SP 800-53 Rev. 5 CP-2 |
Contingency Planning |
Contingency Plan |
Shared |
n/a |
a. Develop a contingency plan for the system that:
1. Identifies essential mission and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;
5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;
6. Addresses the sharing of contingency information; and
7. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinate contingency planning activities with incident handling activities;
d. Review the contingency plan for the system [Assignment: organization-defined frequency];
e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and
h. Protect the contingency plan from unauthorized disclosure and modification. |
link |
8 |
|
op.cont.1 Impact analysis |
op.cont.1 Impact analysis |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.cont.2 Continuity plan |
op.cont.2 Continuity plan |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.cont.3 Periodic tests |
op.cont.3 Periodic tests |
404 not found |
|
|
|
n/a |
n/a |
|
91 |
|
op.cont.4 Alternative means |
op.cont.4 Alternative means |
404 not found |
|
|
|
n/a |
n/a |
|
95 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
126 |