Under active development Content is continuously updated and improved

CP-2Contingency Plan

PBMM (P3)
Secret (P3)
Operational

>Control Description

(A) The organization develops a contingency plan for the information system that: (a) Identifies essential missions and business functions and associated contingency requirements; (b) Provides recovery objectives, restoration priorities, and metrics; (c) Addresses contingency roles, responsibilities, and assigned individuals with contact information; (d) Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; (e) Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and (f) Is reviewed and approved by organization-defined personnel or roles. (B) The organization distributes copies of the contingency plan to organization-defined key contingency personnel (identified by name and/or by role) and organizational elements. (C) The organization coordinates contingency planning activities with incident handling activities. (D) The organization reviews the contingency plan for the information system organization-defined frequency. (E) The organization updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing. (F) The organization communicates contingency plan changes to organization-defined key contingency personnel (identified by name and/or by role) and organizational elements. (G) The organization protects the contingency plan from unauthorized disclosure and modification.

>Supplemental Guidance

Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle.

Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable GC legislation and TBS policies, directives and standards.

In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident.

Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5.

>Tailoring Guidance

This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases.

>Profile-Specific Parameters

(D) [at a frequency no longer than annually]

Ask AI

Configure your API key to use AI features.