Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization coordinates contingency plan testing with organizational elements responsible for related plans.
NIST 800-53 (r4) Supplemental Guidance:
Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. This control enhancement does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations should coordinate with those elements. Related controls: IR-8, PM-8.
NIST 800-53 (r5) Discussion:
Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. However, it does require that if such organizational elements are responsible for related plans, organizations coordinate with those elements.
38North Guidance:
Meets Minimum Requirement:
Coordinate CP testing activities with elements responsible for related plans (e.g., business continuity planning, disaster recovery, incident response, etc.).
Document the dependencies with the responsible elements accordingly in the applicable plan documents.
To ensure response times can be met, testing must be performed by all appropriate parties, including response teams, executives, management, and 3rd/4th party resources as needed.
Best Practice:
TBD.
Unofficial FedRAMP Guidance: None.
Assessment Evidence:
Evidence that the Service has identified the teams/services they have dependencies on for their CP testing activities and document these dependencies accordingly within their plan.
Evidence that the testing was conducted with dependent teams/services such as meeting minutes, meeting agendas, status reports, CP Test Plan/CP Test Report, after action reports, lessons learned, etc.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse