control_freak | Controls | CP-04 - Contingency Plan Testing

a. Test the contingency plan for the system cp-04_odp.01 using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: cp-4_prm_2.

b. Review the contingency plan test results; and

c. Initiate corrective actions, if needed.

Parameter ID	Definition
cp-4_prm_2	organization-defined tests
cp-04_odp.01	frequency
cp-04_odp.02	tests
cp-04_odp.03	tests

Baselines

Guidance

Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

References 4

FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
SP 800-34 Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010.
SP 800-84 Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84.
SP 800-160-2 Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2.

Control Enhancements 5

CP-04(01) Coordinate with Related Plans L M H P
CP-04(02) Alternate Processing Site L M H P
CP-04(03) Automated Testing L M H P
CP-04(04) Full Recovery and Reconstitution L M H P
CP-04(05) Self-challenge L M H P

Related controls 10

AT-03 Role-based Training L M H P
CP-02 Contingency Plan L M H P
CP-03 Contingency Training L M H P
CP-08 Telecommunications Services L M H P
CP-09 System Backup L M H P
IR-03 Incident Response Testing L M H P
IR-04 Incident Handling L M H P
PL-02 System Security and Privacy Plans L M H P
PM-14 Testing, Training, and Monitoring L M H P
SR-02 Supply Chain Risk Management Plan L M H P

CP-04 Contingency Plan Testing

Baselines

Guidance

References 4

Control Enhancements 5

Related controls 10