CP-4

CP-4 CONTINGENCY PLAN TESTING

Overview

Number	Title	Impact	Priority	Subject Area
CP-4	Contingency Plan Testing	LOW	P2	Contingency Planning

Instructions
The organization: CP-4a. Tests the contingency plan for the information system Assignment: organization-defined frequency using Assignment: organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan; CP-4b. Reviews the contingency plan test results; and CP-4c. Initiates corrective actions, if needed.

Guidance
Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

Guidance

Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

Enhancements

CP-4 (1) Coordinate With Related Plans

MODERATE

Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. This control enhancement does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations should coordinate with those elements.

The organization coordinates contingency plan testing with organizational elements responsible for related plans.

CP-4 (2) Alternate Processing Site

HIGH

The organization tests the contingency plan at the alternate processing site:

CP-4 (2)(a)

To familiarize contingency personnel with the facility and available resources; and

CP-4 (2)(b)

To evaluate the capabilities of the alternate processing site to support contingency operations.

CP-4 (3) Automated Testing

Automated mechanisms provide more thorough and effective testing of contingency plans, for example: (i) by providing more complete coverage of contingency issues; (ii) by selecting more realistic test scenarios and environments; and (iii) by effectively stressing the information system and supported missions.

The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan.

CP-4 (4) Full Recovery / Reconstitution

The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing.