The chief information security officer shall publish a comprehensive information system contingency plan and disaster recovery plan for agency information resources that satisfies the requirements of this control. Specific information systems with additional system-specific requirements will have a documented IT contingency plan as part of the system security plan.
Critical activities are not recovered rapidly at the time of a disruption since the organization has not categorized its activities according to their priority for recovery.
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency];
e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification.
A written, documented, accepted contingency plan is in place.
The plan shall be distributed to key personnel and a copy stored offsite. Elements of the plan for information resources shall include:
a. Business Impact Analysis to systematically assess the potential impacts of a loss of business functionality due to an interruption of computing and/or infrastructure support services resulting from various events or incidents. The analysis shall identify the following elements:
1. Mission-Critical Information Resources (specific system resources required to perform critical functions) to include:
A. Internal and external points of contact for personnel that provide or receive data or support interconnected systems.
B. Supporting infrastructure such as electric power, telecommunications connections, and environmental controls.
2. Disruption impacts and allowable outage times to include:
A. Effects of an outage over time to assess the maximum allowable time that a resource may be denied before it prevents or inhibits the performance of an essential function.
B. Effects of an outage across related resources and dependent systems to assess cascading effects on associated systems or processes.
3. Recovery priorities that consider geographic areas, accessibility, security, environment, and cost and may include a combination of:
A. Preventive controls and processes such as backup power, excess capacity, environmental sensors and alarms.
B. Recovery techniques and technologies such as backup methodologies, alternate sites, software and hardware equipment replacement, implementation roles and responsibilities.
b. Risk Assessment to weigh the cost of implementing preventative measures against the risk of loss from not taking action.
c. Implementation, testing, and maintenance management program addressing the initial and ongoing testing and maintenance activities of the plan.
d. Disaster Recovery Plan--Each state organization shall maintain a written disaster recovery plan for major or catastrophic events that deny access to information resources for an extended period. Information learned from tests conducted since the plan was last updated will be used in updating the disaster recovery plan. The disaster recovery plan will:
1. Contain measures which address the impact and magnitude of loss or harm that will result from an interruption;
2. Identify recovery resources and a source for each;
3. Contain step-by-step implementation instructions;
4. Include provisions for annual testing.
Obtain contingency planning policy; procedures addressing contingency operations for the information system; NIST Special Publication 800-34; contingency plan; other related plans; other relevant documents or records and ascertain if :
(I)the organization develops and documents a contingency plan for the information system.
(ii)the contingency plan is consistent with NIST Special Publication 800-34.
(iii)the contingency plan addresses contingency roles, responsibilities, assigned individuals with contact information, and activities associated with restoring the information system after a disruption or failure.
(iv)the contingency plan is reviewed and approved by designated organizational officials.
(v)the organization disseminates the contingency plan to key contingency personnel.
(vi)the organization coordinates the contingency plan with other related plans (e.g., Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery Plan, Incident Response Plan, Emergency Action Plan).
