Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Tests the contingency plan for the information system [FedRAMP Assignment: (L)at least every three years; (M) at least annually; (H) at least annually] using [FedRAMP Assignment: (L) classroom exercises/table top written tests; (M) functional exercises; (H) functional exercises] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed.
CP-4 (a) Additional FedRAMP Requirements and Guidance:
The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.
NIST 800-53 (r4) Supplemental Guidance:
Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3.
References: Federal Continuity Directive 1; FIPS Publication 199; NIST Special Publications 800-34, 800-84.
NIST 800-53 (r5) Discussion:
Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.
38North Guidance:
Meets Minimum Requirement:
The organization must perform an annual functional CP test to include an element of system recovery from backup. This ensures that the organization will have the ability to recover mission critical assets from backup, during a contingency event.
Tests must be conducted in as close to an operational environment as possible. If feasible, an actual test of the components or systems used to conduct daily operations should be used.
Test documentation must ensure contingency planning metrics such as the RTO, RPO and maximum tolerable downtime (MTD) are verified during testing.
The contingency plan test report is completed with lessons learned documented within 30 days following the contingency event or exercise. If lessons learned result in any necessary improvements to existing processes, ensure they are incorporated into the contingency plan no later than 30 days following all contingency events and exercises.
Critical issues discovered during contingency plan testing must be addressed within according to the severity level, following initial discovery.
Contingency plan tests must increase in scope over time in order to validate the operability of the plan and system components in an operational environment.
Organization must participate is customers' and other third parties' contingency plan tests as required.
Best Practice:
TBD.
Unofficial FedRAMP Guidance:
The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.
CPs must be tested prior to the initial/annual 3PAO assessment for moderate and high systems.
Assessment Evidence:
Evidence of coordination of contingency planning and disaster recovery testing, at least annually, that includes:
Contingency plan testing meeting minutes, meeting agendas, status reports, final report, etc.,showing that: testing is coordinated with elements responsible for related plans and/or dependent on the service for functionality (e.g., business continuity planning, disaster recovery, incident response, etc.)
Evidence that after CP testing, an after action report or lessons learned report is created and dated within thirty (30) days following the contingency event/exercise/test.
Evidence that critical issues found during testing are remediated according to the severity level of the issue discovered.
Evidence that the testing scope expands with each test cycle.
CP Test Plan and Report that addresses the Priority of Service; Recovery Priority; Restart Order; recovery systems and environment are sufficient to acceptably run the IT asset(s); recovery targets of all covered IT Assets verified.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse