Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.
NIST 800-53 (r4) Supplemental Guidance:
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions
to the information system and its supporting infrastructure. Related control: PE-12.
NIST 800-53 (r5) Discussion:
Organizations may choose to conduct contingency planning activities to resume mission and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of mission and business functions. The time period for resuming mission and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure.
38North Guidance:
Meets Minimum Requirement:
Document and develop a Business Impact Analysis (BIA) that includes the Recovery Point Objectives (RPOs) and Recovery Time Objective (RTOs) and plan for the resumption of essential missions and business functions within timeframes determined in the BIA of CP activation.
CPs must also include planning for the resumption of all missions and business functions within an organization-defined time period of contingency plan activation.
Recovery strategies must meet the RTOs (Recovery Time Objectives) and RPOs (Recovery Point Objectives) when failing over to an alternate processing/storage site and maintain the system for a minimum of six (6) weeks.
Best Practice:
Document, develop and test the BIA prior to developing a CP. Conducting a BIA will allow the organization to develop the RTOs and RPOs along with recovery procedures that will be included in the CP.
Refer to Section 3.2 of the NIST SP 800-34 for how to perform a BIA.
Unofficial FedRAMP Guidance:
If the CSP does not have a CP documented, explain the BIA to them (see Best Practice, above).
The BIA must undergo annual review and approval. Changes to the BIA should be communicated to the customer, reviewed, and approved within 90 days of significant changes to the system.
Assessment Evidence:
A BIA that has a defined RTO and RPO documented.
Evidence to support recovery strategies meet the RPOs and RTOs for a minimum of six (6) weeks.
Evidence of plan for the resumption of all missions and business functions.
CSP Implementation Tips:
None.
Page updated
Report abuse