CP-02 Contingency Plan
a. Develop a contingency plan for the system that:
1. Identifies essential mission and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;
5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;
6. Addresses the sharing of contingency information; and
7. Is reviewed and approved by cp-2_prm_1;
b. Distribute copies of the contingency plan to cp-2_prm_2;
c. Coordinate contingency planning activities with incident handling activities;
d. Review the contingency plan for the system cp-02_odp.05;
e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicate contingency plan changes to cp-2_prm_4;
g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and
h. Protect the contingency plan from unauthorized disclosure and modification.
| Parameter ID | Definition |
|---|---|
| cp-2_prm_1 | organization-defined personnel or roles |
| cp-2_prm_2 | organization-defined key contingency personnel (identified by name and/or by role) and organizational elements |
| cp-2_prm_4 | organization-defined key contingency personnel (identified by name and/or by role) and organizational elements |
| cp-02_odp.01 | personnel or roles |
| cp-02_odp.02 | personnel or roles |
| cp-02_odp.03 | key contingency personnel |
| cp-02_odp.04 | organizational elements |
| cp-02_odp.05 | frequency |
| cp-02_odp.06 | key contingency personnel |
| cp-02_odp.07 | organizational elements |
Baselines
- L
- M
- H
- P
Guidance
Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.
Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in IR-4(5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family.
References 2
- SP 800-34 Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010.
- IR 8179 Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179.
Control Enhancements 8
- CP-02(01) Coordinate with Related Plans L M H P
- CP-02(02) Capacity Planning L M H P
- CP-02(03) Resume Mission and Business Functions L M H P
- CP-02(04) Resume All Mission and Business Functions
- CP-02(05) Continue Mission and Business Functions L M H P
- CP-02(06) Alternate Processing and Storage Sites L M H P
- CP-02(07) Coordinate with External Service Providers L M H P
- CP-02(08) Identify Critical Assets L M H P
Related controls 25
- CP-03 Contingency Training L M H P
- CP-04 Contingency Plan Testing L M H P
- CP-06 Alternate Storage Site L M H P
- CP-07 Alternate Processing Site L M H P
- CP-08 Telecommunications Services L M H P
- CP-09 System Backup L M H P
- CP-10 System Recovery and Reconstitution L M H P
- CP-11 Alternate Communications Protocols L M H P
- CP-13 Alternative Security Mechanisms L M H P
- IR-04 Incident Handling L M H P
- IR-06 Incident Reporting L M H P
- IR-08 Incident Response Plan L M H P
- IR-09 Information Spillage Response L M H P
- MA-06 Timely Maintenance L M H P
- MP-02 Media Access L M H P
- MP-04 Media Storage L M H P
- MP-05 Media Transport L M H P
- PL-02 System Security and Privacy Plans L M H P
- PM-08 Critical Infrastructure Plan L M H P
- PM-11 Mission and Business Process Definition L M H P
- SA-15 Development Process, Standards, and Tools L M H P
- SA-20 Customized Development of Critical Components L M H P
- SC-07 Boundary Protection L M H P
- SC-23 Session Authenticity L M H P
- SI-12 Information Management and Retention L M H P