CP-4(1)—Contingency Plan Testing And Exercises
>Control Description
>Supplemental Guidance
Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Business Recovery Plans, Incident Response Plans, and Emergency Action Plans. This control enhancement does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations should coordinate with those elements.
Related control: IR-8.
>Tailoring Guidance
This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases. Control enhancement (1) specifies that the organization coordinates contingency plan testing and/or exercises with organizational elements responsible for related plans.
It does not specify that all of the related plans be included as part of the contingency plan testing. Consequently, contingency plan testing should ensure the validity of information where it intersects with related plans.
Ask AI
Configure your API key to use AI features.