CoreOS 4.x - Contingency Planning

Control responses for NIST 800-53 rev4.

NOTE: All CoreOS content is under active development through the ComplianceAsCode Project. Do not consider this content production ready!


Requirements Traceability Matrix

Control Name Status
CP-1 Contingency Planning Policy And Procedures

not applicable

CP-2 Contingency Plan
CP-2 (1) Coordinate With Related Plans
CP-2 (2) Capacity Planning
CP-2 (3) Resume Essential Missions / Business Functions
CP-2 (4) Resume All Missions / Business Functions
CP-2 (5) Continue Essential Missions / Business Functions
CP-2 (6) Alternate Processing / Storage Site
CP-2 (7) Coordinate With External Service Providers
CP-2 (8) Identify Critical Assets
CP-3 Contingency Training
CP-3 (1) Simulated Events
CP-3 (2) Automated Training Environments
CP-4 Contingency Plan Testing
CP-4 (1) Coordinate With Related Plans
CP-4 (2) Alternate Processing Site
CP-4 (3) Automated Testing
CP-4 (4) Full Recovery / Reconstitution
CP-5 Contingency Plan Update
CP-6 Alternate Storage Site
CP-6 (1) Separation From Primary Site
CP-6 (2) Recovery Time / Point Objectives
CP-6 (3) Accessibility
CP-7 Alternate Processing Site
CP-7 (1) Separation From Primary Site
CP-7 (2) Accessibility
CP-7 (3) Priority Of Service
CP-7 (4) Preparation For Use
CP-7 (5) Equivalent Information Security Safeguards
CP-7 (6) Inability To Return To Primary Site
CP-8 Telecommunications Services
CP-8 (1) Priority Of Service Provisions
CP-8 (2) Single Points Of Failure
CP-8 (3) Separation Of Primary / Alternate Providers
CP-8 (4) Provider Contingency Plan
CP-8 (5) Alternate Telecommunication Service Testing
CP-9 Information System Backup
CP-9 (1) Testing For Reliability / Integrity
CP-9 (2) Test Restoration Using Sampling
CP-9 (3) Separate Storage For Critical Information
CP-9 (4) Protection From Unauthorized Modification
CP-9 (5) Transfer To Alternate Storage Site
CP-9 (6) Redundant Secondary System
CP-9 (7) Dual Authorization
CP-10 Information System Recovery And Reconstitution
CP-10 (1) Contingency Plan Testing
CP-10 (2) Transaction Recovery
CP-10 (3) Compensating Security Controls
CP-10 (4) Restore Within Time Period
CP-10 (5) Failover Capability
CP-10 (6) Component Protection
CP-11 Alternate Communications Protocols
CP-12 Safe Mode
CP-13 Alternative Security Mechanisms



CP-1: Contingency Planning Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and b. Reviews and updates the current: 1. Contingency planning policy [Assignment: organization-defined frequency]; and 2. Contingency planning procedures [Assignment: organization-defined frequency].

CP-1 Control Response Information
Implementation Status:

not applicable

CP-1: What is the solution and how is it implemented?



CP-2: Contingency Plan

The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification.

CP-2 Control Response Information
Implementation Status: