>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

CP-2Contingency Plan

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Develop a contingency plan for the system that:

1.

Identifies essential mission and business functions and associated contingency requirements;

2.

Provides recovery objectives, restoration priorities, and metrics;

3.

Addresses contingency roles, responsibilities, assigned individuals with contact information;

4.

Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;

5.

Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;

6.

Addresses the sharing of contingency information; and

7.

Is reviewed and approved by organization-defined personnel or roles;

b

Distribute copies of the contingency plan to organization-defined key contingency personnel (identified by name and/or by role) and organizational elements;

c

Coordinate contingency planning activities with incident handling activities;

d

Review the contingency plan for the system organization-defined frequency;

e

Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

f

Communicate contingency plan changes to organization-defined key contingency personnel (identified by name and/or by role) and organizational elements;

g

Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and

h

Protect the contingency plan from unauthorized disclosure and modification.

>DoD Impact Level Requirements

FedRAMP Parameter Values

CP-2 (d) [at least annually]

Additional Requirements and Guidance

CP-2 Requirement: For JAB authorizations the contingency lists include designated FedRAMP personnel. CP-2 Requirement: CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx).

>Discussion

Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design.

Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.

Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in IR-4(5).

Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family.

>Programmatic Queries

Beta

Related Services

AWS Backup
Route 53
Elastic Disaster Recovery

CLI Commands

List backup plans
aws backup list-backup-plans
Check Route 53 health checks
aws route53 list-health-checks
List DRS source servers
aws drs describe-source-servers
Check Auto Scaling groups
aws autoscaling describe-auto-scaling-groups
Open AWS ConsoleDocumentation

>Related Controls

CP-3
CP-4
CP-6
CP-7
CP-8
CP-9
CP-10
CP-11
CP-13
IR-4
IR-6
IR-8
IR-9
MA-6
MP-2
MP-4
MP-5
PL-2
PM-8
PM-11
SA-15
SA-20
SC-7
SC-23
SI-12

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CP-2 (Contingency Plan)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CP-2?
  • How frequently is the CP-2 policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures CP-2 requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CP-2 requirements.
  • What automated tools, systems, or technologies are deployed to implement CP-2?
  • How is CP-2 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CP-2 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CP-2?
  • What audit logs, records, reports, or monitoring data validate CP-2 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CP-2 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CP-2 compliance?

Ask AI

Configure your API key to use AI features.