Skip to content
ATO Pathways
  Log In

Information Assurance - COOP Plan and Testing (Not in Place for Information Technology Systems or Not Considered in the organizational Holistic Risk Assessment)

An XCCDF Rule

Description

<VulnDiscussion>Failure to develop a COOP and test it periodically can result in the partial or total loss of operations and INFOSEC. A contingency plan is necessary to reduce mission impact in the event of system compromise or disaster. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, Paragraphs 15 & 32 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: CP-2, CP-2(1) through CP-2(8), CP-4, CP-4(1) through CP-4(4), CP-6, CP-7, CP-9, MA-6 DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 3. DoDD 3020.26, SUBJECT: Department of Defense Continuity Programs, January 9, 2009 DoDI 3020.42, SUBJECT: Defense Continuity Plan Development, February 17, 2006 Implementation of DoD Continuity Strategy - Deputy Secretary of Defense, 25 May 07 National Security Presidential Directive (NSPD) 51 / Homeland Security Presidential Directive (HSPD) 20 - National Continuity Policy, 9 May 07 Federal Continuity Directives 1 Oct 12 and 2 Jul 13, Federal Executive Branch National Continuity Program and Requirements. NIST Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010 DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, paragraph 8-101.g. and 8-302.c.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-245772r822832_rule
Severity
Medium
Updated



Remediation - Manual Procedure

Continuity of Operations Plans (COOP) must be developed and tested for ALL DoDIN connected systems to ensure system and data availability in the event of any type of failure.  If no COOP is in place ensure the risk has been (specifically for lack of a COOP) accepted by the responsible Authorizing Official (AO) in a Holistic Risk Assessment of the organization.