Template:Cybersecurity/Contingency planning
CP-1 Contingency planning policy and procedures
This control recommends the organization develop, document, disseminate, review, and update contingency planning policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of contingency planning action but also to address how those policies and procedures will be implemented, reviewed, and updated.
Additional resources:
- NIST Special Publications 800-12, Rev. 1, pages 61–62
- NIST Special Publications 800-34, Rev. 1
- NIST Special Publications 800-100, pages 78–83
- LIMSpec 7.1, 7.2
CP-2 Contingency plan
This control recommends the organization develop, document, disseminate, review, and update a contingency plan for the system. As part of this process, the organization should identify its business and cybersecurity goals, as well as its processes, particularly goals and processes that have been marked as critical or essential to overall operations. The plan should also address the importance of keeping those goals and processes intact despite any disruption, as well as any recovery objectives, restoration priorities, and responsible parties (including their roles and contact information). The plan should be reviewed and approved by key personnel, and reviewed again at a determined frequency, with any changes resulting in updating, communicating, and protecting the revised plan.
Additional resources:
- NIST Special Publications 800-34, Rev. 1
- No LIMSpec comp (organizational policy rather than system specification)
CP-3 Contingency training
This control recommends the organization supply the appropriate training concerning contingency plan enactment to the relevant system users at a defined frequency, when the system changes significantly, or when a user takes on a contingency role or responsibility.
Additional resources:
CP-4 Contingency plan testing
This control recommends the organization develop and regularly use testing methods to test the system contingency plan for its effectiveness, as well as how well prepared system users are to execute the plan. The organization should review the results of such tests and apply corrective action, if needed.
Additional resources:
- NIST Special Publications 800-34, Rev. 1
- NIST Special Publications 800-84
- No LIMSpec comp (organizational policy rather than system specification)
CP-9 Information system backup
This control recommends the organization back up the system's user-level and system-level information, as well as system documentation, at defined frequencies. The organization should make efforts to protect the confidentiality, integrity, and availability of any data backups.
Additional resources:
CP-10 Information system recovery and reconstitution
This control recommends the organization retain the capability of recovering and reconstituting the system to a recent known state in the wake of a system disruption, compromise, or failure. This may be done in an automatic or manual fashion.
Additional resources:
