Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.
NIST 800-53 (r4) Supplemental Guidance:
Capacity planning is needed because different types of threats (e.g., natural disasters, targeted cyber attacks) can result in a reduction of the available processing, telecommunications, and support services originally intended to support the organizational missions/business functions. Organizations may need to anticipate degraded operations during contingency operations and factor such degradation into capacity planning.
NIST 800-53 (r5) Discussion:
Capacity planning is needed because different threats can result in a reduction of the available processing, telecommunications, and support services intended to support essential mission and business functions. Organizations anticipate degraded operations during contingency operations and factor the degradation into capacity planning. For capacity planning, environmental support refers to any environmental factor for which the organization determines that it needs to provide support in a contingency situation, even if in a degraded state. Such determinations are based on an organizational assessment of risk, system categorization (impact level), and organizational risk tolerance.
38North Guidance:
Meets Minimum Requirement:
Document and develop capacity planning that includes necessary capacity for the information system during contingency operations such as processing (throughput, memory), storage, network capacity, etc. Capacity planning may be included in the CP. If documented in a separate document, review and approve the Capacity Plan at least annually or in conjunction with the CP and other related plans as required.
Best Practice:
Things to consider for capacity planning would be storage capacity, processing capacity (e.g., a sufficient amount of servers with fast CPUs), telecommunications capacity (e.g., bandwidth and speed) and data center concerns (such as electricity and air conditioning capacity). Capacity planning for physical system (such as IaaS infrastructures) may time more time for planning and procurement of additional IT assets/resources.
Unofficial FedRAMP Guidance:
None.
Assessment Evidence:
The organization's capacity plan, highlighting capacity coverage for contingency operations.
Meeting minutes/agenda that includes capacity planning topics and activities discussed.
CSP Implementation Tips:
None.
Page updated
Report abuse