CP-2: Contingency Plan

Statement

• a.

  Develop a contingency plan for the system that:

  • 1.

    Identifies essential mission and business functions and associated contingency requirements;

  • 2.

    Provides recovery objectives, restoration priorities, and metrics;

  • 3.

    Addresses contingency roles, responsibilities, assigned individuals with contact information;

  • 4.

    Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;

  • 5.

    Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;

  • 6.

    Addresses the sharing of contingency information; and

  • 7.

    Is reviewed and approved by organization-defined personnel or roles ;

• b.

  Distribute copies of the contingency plan to organization-defined key contingency personnel (identified by name and/or by role) and organizational elements ;

• c.

  Coordinate contingency planning activities with incident handling activities;

• d.

  Review the contingency plan for the system frequency ;

• e.

  Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

• f.

  Communicate contingency plan changes to organization-defined key contingency personnel (identified by name and/or by role) and organizational elements ;

• g.

  Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and

• h.

  Protect the contingency plan from unauthorized disclosure and modification.

• • Requirement:

    For JAB authorizations the contingency lists include designated FedRAMP personnel.

  • Requirement:

    CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx).