This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.
NIST 800-53 (r4) Supplemental Guidance:
Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures. Related controls: CA-2, CA-6, CA-7, CP-2, CP-6, CP-7, CP-9, SC-24.
References: Federal Continuity Directive 1; NIST Special Publication 800-34.
NIST 800-53 (r5) Discussion:
Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning.
38North Guidance:
Meets Minimum Requirement:
Develop, implement, and test the CP plan to serve as the guiding document and process definition for all information contingency, backup, and disaster recovery activities, as well as for training personnel associated with backup activities for the information system.
CPs must include procedures for validating successful recovery and reconstitution. Recovery and reconstitution activities include reconstitution and resumption of operational capabilities at the original location.
The organization must configure backup service and alternate site processing services appropriately.
Best Practice:
TBD.
Unofficial FedRAMP Guidance:
Assessment Evidence:
Procedures for reconstituting the service to a known-good state as part of contingency planning processes.
Results of last Service’s testing of the recovery/reconstitution (from last test/exercise or last actual event recovery).
Evidence of the CP document, contingency plan training records, CP test plan and test results, alternate storage/processing site agreements, backup schedule and configurations, documented responsibility assignment matrix (RACI) for the organization and customer responsibilities.
List of personnel with access to backup logs and privileges to modify or delete backup logs (including monthly/quarterly access reviews according to AC-2).
Contingency Planning Policy.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD