CP-7—Alternate Processing Site
>Control Description
Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of ⚙organization-defined system operations for essential mission and business functions within ⚙organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable;
Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and
Provide controls at the alternate processing site that are equivalent to those at the primary site.
>DoD Impact Level Requirements
Additional Requirements and Guidance
CP-7 (a) Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis.
>Discussion
Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites.
Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems.
>Programmatic Queries
Related Services
CLI Commands
aws route53 list-health-checks --query 'HealthChecks[*].{Id:Id,Type:HealthCheckConfig.Type,FQDN:HealthCheckConfig.FullyQualifiedDomainName}'aws globalaccelerator list-acceleratorsaws rds describe-db-instances --query 'DBInstances[*].{Id:DBInstanceIdentifier,MultiAZ:MultiAZ,ReadReplicas:ReadReplicaDBInstanceIdentifiers}'aws s3api get-bucket-replication --bucket BUCKET>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of CP-7 (Alternate Processing Site)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring CP-7?
- •How frequently is the CP-7 policy reviewed and updated, and what triggers policy changes?
- •What governance structure ensures CP-7 requirements are consistently applied across all systems?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce CP-7 requirements.
- •What automated tools, systems, or technologies are deployed to implement CP-7?
- •How is CP-7 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce CP-7 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of CP-7?
- •What audit logs, records, reports, or monitoring data validate CP-7 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of CP-7 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate CP-7 compliance?
Ask AI
Configure your API key to use AI features.