Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
(a) Requires primary and alternate telecommunications service providers to have contingency plans;
(b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
(c) Obtains evidence of contingency testing/training by providers [FedRAMP Assignment: (H) annually].
NIST 800-53 (r4) Supplemental Guidance:
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training.
NIST 800-53 (r5) Discussion:
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security and state and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training.
38North Guidance:
Meets Minimum Requirement:
The organization must ensure that the primary and alternate telecommunications service providers selected must have document Contingency Plans (CPs).
The telecommunications service providers' CPs must be reviewed for alignment with the organization's contingency requirements.
The telecommunications service providers' CPs must be reviewed annually.
Best Practice:
TBD.
Unofficial FedRAMP Guidance: None.
Assessment Evidence:
Copies of the CPs of the primary and alternate telecommunications service providers.
Evidence of a risk assessment or evaluation conducted on the telecommunications service providers' CPs.
Historic records of the primary and secondary telecommunications service providers' CP review activities.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse