Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization plans for the resumption of all missions and business functions within [FedRAMP Assignment: (H) time period defined in service provider and organization SLA] of contingency plan activation.
NIST 800-53 (r4) Supplemental Guidance:
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of all missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12.
NIST 800-53 (r5) Discussion:
Withdrawn: Incorporated into CP-2(3).
38North Guidance:
Meets Minimum Requirement:
Must produce contingency plan, highlighting the information system's capacity to resume operations within time indicated in the SLA between the service provider and organization(s).
Best Practice:
If supporting a federal customer, determine what their RTOs/RPOs are and how quickly they need to have system/data restored.
Unofficial FedRAMP Guidance:
Ensure the CSP can meet the documented RTOs/RPOs documented as part of their SLAs with customers or the defined time-frame/metrics documented on their public website.
Assessment Evidence:
The organization's CP reflecting the information system's ability to resume operations per SLA requirements.
The SLA highlighting the time period identified for resumption of business operations in the case of contingency.
CSP Implementation Tips:
None.
Page updated
Report abuse