CP 4 CONTINGENCY PLAN TESTING - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control:

• a. Test the contingency plan for the system [ Assignment: organization-defined frequency ] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [ Assignment: organization-defined tests ].
• b. Review the contingency plan test results; and
• c. Initiate corrective actions, if needed.

Discussion: Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

Related Controls: AT-3, CP-2, CP-3, CP-8, CP-9, IR-3, IR-4, PL-2, PM-14, SR-2.

Control Enhancements:

• (1) CONTINGENCY PLAN TESTING | COORDINATE WITH RELATED PLANS
  Coordinate contingency plan testing with organizational elements responsible for related plans.

  Discussion: Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. However, it does require that if such organizational elements are responsible for related plans, organizations coordinate with those elements.

  Related Controls: IR-8, PM-8.

• (2) CONTINGENCY PLAN TESTING | ALTERNATE PROCESSING SITE
  Test the contingency plan at the alternate processing site:

  • (a) To familiarize contingency personnel with the facility and available resources; and
  • (b) To evaluate the capabilities of the alternate processing site to support contingency operations.

  Discussion: Conditions at the alternate processing site may be significantly different than the conditions at the primary site. Having the opportunity to visit the alternate site and experience the actual capabilities available at the site can provide valuable information on potential vulnerabilities that could affect essential organizational mission and business functions. The on-site visit can also provide an opportunity to refine the contingency plan to address the vulnerabilities discovered during testing.

  Related Controls: CP-7.

• (3) CONTINGENCY PLAN TESTING | AUTOMATED TESTING
  Test the contingency plan using [ Assignment: organization-defined automated mechanisms ].

  Discussion: Automated mechanisms facilitate thorough and effective testing of contingency plans by providing more complete coverage of contingency issues, selecting more realistic test scenarios and environments, and effectively stressing the system and supported mission and business functions.

  Related Controls: None.

• (4) CONTINGENCY PLAN TESTING | FULL RECOVERY AND RECONSTITUTION
  Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing.

  Discussion: Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Organizations establish a known state for systems that includes system state information for hardware, software programs, and data. Preserving system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission and business processes.

  Related Controls: CP-10, SC-24.

• (5) CONTINGENCY PLAN TESTING | SELF-CHALLENGE
  Employ [ Assignment: organization-defined mechanisms ] to [ Assignment: organization-defined system or system component ] to disrupt and adversely affect the system or system component.

  Discussion: Often, the best method of assessing system resilience is to disrupt the system in some manner. The mechanisms used by the organization could disrupt system functions or system services in many ways, including terminating or disabling critical system components, changing the configuration of system components, degrading critical functionality (e.g., restricting network bandwidth), or altering privileges. Automated, on-going, and simulated cyber-attacks and service disruptions can reveal unexpected functional dependencies and help the organization determine its ability to ensure resilience in the face of an actual cyber- attack.

  Related Controls: None.

References: [FIPS 199], [SP 800-34], [SP 800-84], [SP 800-160-2].