CP 3 CONTINGENCY TRAINING - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

CP-3 CONTINGENCY TRAINING

Control:

  • a. Provide contingency training to system users consistent with assigned roles and responsibilities:
    • 1 . Within [ Assignment: organization-defined time period ] of assuming a contingency role or responsibility;
    • 2 . When required by system changes; and
    • 3 . [ Assignment: organization-defined frequency ] thereafter; and
  • b. Review and update contingency training content [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ].

Discussion: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency- related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security or privacy incidents, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements.

Related Controls: AT-2, AT-3, AT-4, CP-2, CP-4, CP-8, IR-2, IR-4, IR-9.

Control Enhancements:

  • (1) CONTINGENCY TRAINING | SIMULATED EVENTS
    Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.

    Discussion: The use of simulated events creates an environment for personnel to experience actual threat events, including cyber-attacks that disable websites, ransomware attacks that encrypt organizational data on servers, hurricanes that damage or destroy organizational facilities, or hardware or software failures.

    Related Controls: None.

  • (2) CONTINGENCY TRAINING | MECHANISMS USED IN TRAINING ENVIRONMENTS
    Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment.

    Discussion: Operational mechanisms refer to processes that have been established to accomplish an organizational goal or a system that supports a particular organizational mission or business objective. Actual mission and business processes, systems, and/or facilities may be used to generate simulated events and enhance the realism of simulated events during contingency training.

    Related Controls: None.

References: [SP 800-50].

⚠️ **GitHub.com Fallback** ⚠️