Skip to content

CP-2: Contingency Plan

An OSCAL Control

Statement

    • a.

      Develop a contingency plan for the system that:

      • 1.

        Identifies essential mission and business functions and associated contingency requirements;

      • 2.

        Provides recovery objectives, restoration priorities, and metrics;

      • 3.

        Addresses contingency roles, responsibilities, assigned individuals with contact information;

      • 4.

        Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;

      • 5.

        Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;

      • 6.

        Addresses the sharing of contingency information; and

      • 7.

        Is reviewed and approved by ;

    • b.

      Distribute copies of the contingency plan to ;

    • c.

      Coordinate contingency planning activities with incident handling activities;

    • d.

      Review the contingency plan for the system ;

    • e.

      Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

    • f.

      Communicate contingency plan changes to ;

    • g.

      Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and

    • h.

      Protect the contingency plan from unauthorized disclosure and modification.