Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [FedRAMP Assignment: (L)(M)(H) ten (10) days] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [FedRAMP Assignment: (L)(M)(H) at least annually] thereafter.
NIST 800-53 (r4) Supplemental Guidance:
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know
when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on
contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2.
References: Federal Continuity Directive 1; NIST Special Publications 800-16, 800-50.
NIST 800-53 (r5) Discussion:
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements.
38North Guidance:
Meets Minimum Requirement:
Organizational personnel who have assumed a contingency role will be required to complete training within ten (10) days of assuming a contingency role or responsibility. CP training may include a review of CP policy/plan/procedures; participating in the CP testing exercises; and/or completing CP training modules.
Personnel are retrained when changes have been implemented to the system (if required) and annually thereafter.
Contingency personnel must be required to review the CP and the results of the last CP test that was performed.
Training records must be documented, maintained, and stored in a secure repository with access granted only to those with a need to know (e.g., a compliance team).
Best Practice:
The annual CP test may be leveraged for training as all participants are trained in contingency roles and responsibilities during CP testing. Training may be conducted in the form of a PowerPoint and/or simulated or functional exercises as stated above.
CSP's should require that customers also provide CP training to their employees with CP responsibilities, as they pertain to contingency activities for the CSP.
Unofficial FedRAMP Guidance:
Personnel assuming contingency roles are required to complete training within ten (10) days of assuming a CP role and/or responsibility.
Assessment Evidence:
Procedures detailing how contingency training is administered. (This may include runbooks or processes following contingency testing that includes personnel required to take contingency training as well as the frequency of training provided)
List of contingency personnel required to complete contingency training, including the date the person assumed a contingency role or responsibility.
CP training records for new contingency personnel showing that contingency training was completed within ninety (90) days of being assigned contingency role.
CP training records for current contingency personnel to show that contingency training was completed within the past twelve (12) months, and as required due to system changes.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse