CP-2

CP-2 CONTINGENCY PLAN

Overview

Number	Title	Impact	Priority	Subject Area
CP-2	Contingency Plan	LOW	P1	Contingency Planning

Instructions
The organization: CP-2a. Develops a contingency plan for the information system that: CP-2a.1. Identifies essential missions and business functions and associated contingency requirements; CP-2a.2. Provides recovery objectives, restoration priorities, and metrics; CP-2a.3. Addresses contingency roles, responsibilities, assigned individuals with contact information; CP-2a.4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; CP-2a.5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and CP-2a.6. Is reviewed and approved by Assignment: organization-defined personnel or roles; CP-2b. Distributes copies of the contingency plan to Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements; CP-2c. Coordinates contingency planning activities with incident handling activities; CP-2d. Reviews the contingency plan for the information system Assignment: organization-defined frequency; CP-2e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; CP-2f. Communicates contingency plan changes to Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements; and CP-2g. Protects the contingency plan from unauthorized disclosure and modification.

Instructions

The organization:

CP-2a.

Develops a contingency plan for the information system that:

CP-2a.1.

Identifies essential missions and business functions and associated contingency requirements;

CP-2a.2.

Provides recovery objectives, restoration priorities, and metrics;

CP-2a.3.

Addresses contingency roles, responsibilities, assigned individuals with contact information;

CP-2a.4.

Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;

CP-2a.5.

Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and

CP-2a.6.

Is reviewed and approved by Assignment: organization-defined personnel or roles;

CP-2b.

Distributes copies of the contingency plan to Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements;

CP-2c.

Coordinates contingency planning activities with incident handling activities;

CP-2d.

Reviews the contingency plan for the information system Assignment: organization-defined frequency;

CP-2e.

Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

CP-2f.

Communicates contingency plan changes to Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements; and

CP-2g.

Protects the contingency plan from unauthorized disclosure and modification.

Guidance
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident.

Guidance

Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident.

Enhancements

CP-2 (1) Coordinate With Related Plans

MODERATE

Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant Emergency Plans.

The organization coordinates contingency plan development with organizational elements responsible for related plans.

CP-2 (2) Capacity Planning

HIGH

Capacity planning is needed because different types of threats (e.g., natural disasters, targeted cyber attacks) can result in a reduction of the available processing, telecommunications, and support services originally intended to support the organizational missions/business functions. Organizations may need to anticipate degraded operations during contingency operations and factor such degradation into capacity planning.

The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

CP-2 (3) Resume Essential Missions / Business Functions

MODERATE

Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure.

The organization plans for the resumption of essential missions and business functions within Assignment: organization-defined time period of contingency plan activation.

CP-2 (4) Resume All Missions / Business Functions

HIGH

Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of all missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure.

The organization plans for the resumption of all missions and business functions within Assignment: organization-defined time period of contingency plan activation.

CP-2 (5) Continue Essential Missions / Business Functions

HIGH

Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites).

The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites.

CP-2 (6) Alternate Processing / Storage Site

Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites).

The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites.

CP-2 (7) Coordinate With External Service Providers

When the capability of an organization to successfully carry out its core missions/business functions is dependent on external service providers, developing a timely and comprehensive contingency plan may become more challenging. In this situation, organizations coordinate contingency planning activities with the external entities to ensure that the individual plans reflect the overall contingency needs of the organization.

The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.

CP-2 (8) Identify Critical Assets

MODERATE

Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets.

The organization identifies critical information system assets supporting essential missions and business functions.