Security Control Spotlight—Contingency Planning

By Kathryn M. Daily, CISSP of BAI Information Security

In this issue we will shine the spotlight on the Contingency Planning (CP) family of security controls. First, we’ll show you how the controls dictate the subject areas that need to be addressed in the organization/system’s disaster recovery and business continuity plans. Second, you’ll learn how the contingency planning requirements become more stringent as the system categorization level increases.

Those familiar with DIACAP probably recall the contingency planning requirements were included in a subject area known as Continuity (control names beginning with CO). There were only a small number of controls in the CO group, and most of them were fairly high-level.

With RMF, the contingency planning controls are numerous and quite explicit. For example, CP-2 contains the basic requirements for the organization’s contingency plan, to wit:

The organization:

  • Develops a contingency plan for the information system that:
    • Identifies essential missions and business functions and associated contingency requirements;
    • Provides recovery objectives, restoration priorities, and metrics;
    • Addresses contingency roles, responsibilities, assigned individuals with contact information;
    • Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
    • Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
    • Is reviewed and approved by [Assignment: organization-defined personnel or roles];
  • Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/ or by role) and organizational elements];
  • Coordinates contingency planning activities with incident handling activities;
  • Reviews the contingency plan for the information system [Assignment: organizationdefined frequency];
  • Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
  • Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/ or by role) and organizational elements]; and
  • Protects the contingency plan from unauthorized disclosure and modification.

In addition to the baseline CP-2 control, there are numerous control enhancements that provide even more prescriptive requirements for the organization’s contingency planning.

Control CP-7 contains the Recovery Time Objective (RTO) for the system. In the NIST SP 800-53, this is an “organization-defined value,” however DoD has specified minimum acceptable values, based on the system categorization:

  • For systems categorized as Availability Moderate, the RTO must be 12 hours or less
  • For system categorized as Availability High, the RTO must be 1 hour or less

It should be noted that DoD does not specify a maximum RTO for systems categorized as Availability Low. For such systems, it is up to the system owner to determine an appropriate RTO through its Business Impact Analysis.

IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.

Here is a link to a great book on RMF that we highly recommend.

A ton of other information can be found on the NIST web site.