CP-3(1)—Contingency Training | Simulated Events

IL4 High

IL5

IL6

>Control Description

Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

The use of simulated events creates an environment for personnel to experience actual threat events, including cyber-attacks that disable websites, ransomware attacks that encrypt organizational data on servers, hurricanes that damage or destroy organizational facilities, or hardware or software failures.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What formal policies and procedures govern the implementation of CP-3(1) (Simulated Events)?
•Who are the designated roles responsible for implementing, maintaining, and monitoring CP-3(1)?
•How frequently is the CP-3(1) policy reviewed and updated, and what triggers policy changes?
•What governance structure ensures CP-3(1) requirements are consistently applied across all systems?

Technical Implementation:

•Describe the specific technical mechanisms or controls used to enforce CP-3(1) requirements.
•What automated tools, systems, or technologies are deployed to implement CP-3(1)?
•How is CP-3(1) integrated into your system architecture and overall security posture?
•What configuration settings, parameters, or technical specifications enforce CP-3(1) requirements?

Evidence & Documentation:

•What documentation demonstrates the complete implementation of CP-3(1)?
•What audit logs, records, reports, or monitoring data validate CP-3(1) compliance?
•Can you provide evidence of periodic reviews, assessments, or testing of CP-3(1) effectiveness?
•What artifacts would you present during a FedRAMP assessment to demonstrate CP-3(1) compliance?

Ask AI

Configure your API key to use AI features.