6. OPERATIONAL CONTROLS
6.3 Contingency Planning (CP)
Contingency planning provides guidance and direction necessary to maintain acceptable levels of information services in the event the primary service (system or application) sustains an
interruption in service. Contingency plans identify critical assets (using the Business Impact Assessment (BIA)), key personnel and vendors, and established procedures to respond to outages. The plan identifies alternate processing locations, provides schemas to activate those locations, and facilitates return to the primary location. Key personnel necessary to facilitate operations are identified including the means to contact them at any time. Considerations in the plan address short, moderate, and long-term interruptions, as well as, catastrophic loss of the facility, recovery, repair, and salvage of assets plus the identification of key supplies necessary to facilitate processing. Training programs to prepare key personnel are developed along with desk-top and functional exercises designed to assess and evaluate the plan.
Policy: Office of Personnel Management (OPM) System Owners (SO) shall ensure the establishment, maintenance, and effective implementation of plans for emergency response, disaster recovery, backup operations, and post-disaster recovery for their information systems guaranteeing the availability of critical information resources and continuity of operations in emergency situations. These plans help the OPM recover from serious incidents involving information systems in the minimum time and with minimum cost and disruption. Contingency Plans shall be reviewed, updated, and tested at least annually to ensure its effectiveness.
6.3.1 Contingency Planning Policy and Procedures (CP-1)
The policies under this control are implemented with the OPM Contingency Planning Procedure.
Operational contingency planning procedures may be developed by program offices and operational groups where necessary. Contingency planning procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary.
6.3.2 Contingency Plan (CP-2)
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business operations. Contingency planning addresses both information system restoration and implementation of alternative
mission/business processes when systems are compromised. A Contingency Plan is a group of controls that provides SOs a mechanism to ensure the availability of information systems to prevent a negative impact to business functions in the event of emergency. Examples of actions to call out in contingency plans include: graceful degradation, information system shutdown, fall-back to a manual mode, alternate information flows, or operating in a mode that is reserved solely for when the system is under attack.
SOs shall ensure:
• Development of a contingency plan for the information system that:
• Identifies essential missions and business functions and associated contingency requirements through conducting Business Impact Assessments (BIA);
• Provides recovery objectives, restoration priorities, and metrics as part of the BIA;
• Addresses contingency roles, responsibilities, assigned individuals with contact information;
• Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
• Addresses eventual, full information system restoration without deterioration of the security measures originally planned and implemented; and
• Is reviewed and approved by the SO, Chief Information Security Officer (CISO), and the Authorizing Official (AO).
• Copies of the contingency plan are distributed to key contingency personnel and other related organizational elements or entities;
• Contingency planning activities are coordinated with incident handling activities;
• The contingency plan is reviewed for the information system at least annually;
• The contingency plan is revises to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; and
• Contingency plan changes are communicated to key contingency personnel and other related organizational elements or entities.
The SO shall coordinate contingency plan development with organizational elements responsible for related plans, such as Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan (COOP), Crisis Communications Plan, Critical Infrastructure Plan, Cyber Incident Response Plan, and Occupant Emergency Plan. (Moderate and High)
SOs shall conduct capacity planning to ensure necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. (High) OPM shall plan for the resumption of essential missions and business functions within 12 hours of contingency plan activation. (High)
6.3.3 Contingency Training (CP-3)
In the event of an emergency, there is usually less time for planning and reacting; therefore, personnel that must execute information system contingency plans need to be trained on their responsibilities to ensure any delay in recovering critical systems is minimal.
SOs shall train personnel in their contingency roles and responsibilities with respect to the information system and provide refresher training at least annually.
SOs shall incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. (High)
6.3.4 Contingency Plan Testing and Exercises (CP-4)
Executing contingency plans during controlled tests and/or exercises provides a mechanism to test the effectiveness of the contingency plan, provide training, and correct weaknesses in the plan in a controlled situation.
SOs shall ensure:
• The contingency plan for the information system is tested and/or exercised at least annually using OPM defined and information system specific tests and exercises such as checklist, walk-through/tabletop, simulation, parallel, full interrupt to determine the plan’s effectiveness and the organization’s readiness to execute the plan; and
• Contingency plan test/exercise results are reviewed and corrective actions is initiated (i.e., update contingency plan procedures at least annually).
SOs shall ensure test results are provided to the CISO quarterly for evidence and reporting.
Contingency plan testing and/or exercises shall be coordinated with organizational elements responsible for related plans, such as Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan (COOP), Crisis Communications Plan, Critical Infrastructure Plan, Cyber Incident Response Plan, and Occupant Emergency Plan. (Moderate and High) The SO shall ensure testing/exercising of the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site’s capabilities to support contingency operations. As part of contingency plan testing, the SO includes a full recovery and reconstitution of the information system to a known state. (High) For some smaller (particularly Federal Information Processing Standard (FIPS) 199 Low availability) systems, a full contingency plan may not be required if the SO determines that the system’s contingency plan is to not recover the system after an incident. These decisions shall be documented based on the Business Impact Analysis (BIA) that supports the decision to not recover or reconstitute the system. The testing requirement for these systems can be satisfied by annually validating and appropriately updating documentation of the decision.
There are two principal approaches to contingency plan testing:
• Classroom Exercises. Participants in classroom exercises, often called tabletop, walk through the procedures to ensure the documentation reflects the ability to adequately perform the tasks outlined without any actual recovery operations occurring. Classroom exercises are the most basic and least costly of the two types of exercises and should be conducted before performing a functional exercise.
• Functional Exercises. Functional exercises are more extensive than tabletops and include simulations, parallel operations, or full interrupt (failover) testing. Often, scripts are written for role players pretending to be external organization contacts, or there may be actual interagency and vendor participation. A functional exercise might include actual relocation to the alternate site and/or system cutover.
In either case, test scenarios might include but are not limited to: equipment damage/failure scenario, COOP emergency relocation scenario, data loss/corruption scenario, network outage scenario or staff shortage due to pandemic influenza scenario.
Classroom exercises are generally appropriate for systems with a FIPS 199 Low availability impact. Tabletop exercises augmented with limited functional exercises (e.g., loading backup files; telephone call tree exercises) are appropriate for Moderate availability systems. High availability systems shall undergo more extensive functional exercises (e.g., testing of
switchover capabilities). The FIPS 199 level here applies only to availability (e.g., a FIPS 199 High system because of confidentiality may in fact have a low availability impact rating).
6.3.5 Alternate Storage Site (CP-6)
In order to support events requiring the recovery of information systems, the information to recover the system must be stored at an alternate site.
The Data Center Manager and SOs shall ensure the establishment of an alternate storage site including necessary agreements to permit the storage and recovery of information system backup information. The alternate storage site shall be separated from the primary storage site so as not to be susceptible to the same hazards. Potential accessibility problems shall be identified to the alternate storage site in the event of an area-wide disruption or disaster and explicit mitigation actions shall be outlined. Explicit mitigation actions include duplicating backup information at another alternate storage site if access to the first alternate site is hindered; or, if electronic accessibility to the alternate site is disrupted, planning for physical access to retrieve backup information. (Moderate and High)
SOs shall ensure configuration of the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. (High)
6.3.6 Alternate Processing Site (CP-7)
In order to support the recovery of information systems in an emergency, it may be necessary to recover at an alternate processing site as the primary site might not be accessible.
SOs and Data Center Manager shall ensure:
• Establishment of an alternate processing site including necessary agreements to permit the resumption of information system operations for essential missions and business functions within 12 hours when the primary processing capabilities are unavailable; and
• Equipment and supplies required to resume operations are available at the alternate site or contracts are in place to support delivery to the site in time to support the organization-defined time period for resumption. (Moderate and High)
The alternate processing site shall be separated from the primary processing site so as not to be susceptible to the same hazards. Potential accessibility problems shall be identified for the alternate processing site in the event of an area-wide disruption or disaster and explicit mitigation actions shall be outlined. Alternate processing site agreements shall be developed, that contain priority-of-service provisions in accordance with the organization’s availability requirements.
The alternate processing site shall provide information security measures equivalent to that of the primary site. (Moderate and High)
SOs and Data Center Manager shall configure the alternate processing site so that it is ready to be used as the operational site supporting essential missions and business functions. (High)
6.3.7 Telecommunications Services (CP-8)
Telecommunications services are a key in technology operations; as such, the organization needs to obtain both primary and alternate services that will support ongoing operations. The
following policy addresses the requirement for organizations to identify alternate
telecommunications services for the resumption of information system operations in the event of a disaster or major disruption of services.
SOs and Data Center Manager shall ensure establishment of alternate telecommunications services including necessary agreements to permit the resumption of information system operations for essential missions and business functions within 12 hours when the primary telecommunications capabilities are unavailable. The primary and alternate telecommunications service agreements shall contain priority-of-service provisions in accordance with the
organization’s availability requirements. Telecommunications Service Priority shall be
requested for telecommunication services used for national security emergency preparedness in the event that the primary and/or alternate services are provided by a common carrier. In
addition, alternate telecommunications services shall be obtained with consideration for reducing the likelihood of sharing a single point of failure with the primary telecommunications services.
(Moderate and High)
Alternate telecommunications service providers shall have contingency plans and be separated from primary service providers so as not to be susceptible to the same hazards. (High)
6.3.8 Information System Backup (CP-9)
In order to successfully recover an information system, the components of the system and data must be backed up successfully. For each system it must be determined what information must be backed up and necessary for the successful recovery of the system. The frequency in which the backups are performed will depend on the availability requirement of the data. It is
important that backups are tested to ensure usability.
SOs shall ensure:
• Backups are conducted of user-level information contained in the information system periodically (Low), weekly (Moderate), and daily (High) for file shares on the network;
end users are responsible for backup and recovery functions for desktops, notebooks, and hand-held computers;
• Backups are conducted of system-level information (e.g., system-state information, operating system and application software, and licenses) contained in the information system periodically (Low), weekly (Moderate), and daily (High);
• Backups are conducted of information system documentation including security-related documentation periodically (Low), weekly (Moderate), and daily (High) for file shares on the network; end users are responsible for backup and recovery functions for desktops, notebooks, and hand-held computers; and
• Protection of the confidentiality and integrity of backup information at the storage location. Digital signatures and cryptographic hashes are examples of mechanisms that can be employed by organizations to protect the integrity of information system backups.
An organizational assessment of risk guides the use of encryption for protecting backup
information. The protection of system backup information while in transit is beyond the scope of this control (Reference CP-6 and MP-4).
SOs shall ensure a test is performed of the backup information at least annually (recommend quarterly for High and semi-annually for Moderate) to verify media reliability and information integrity. (Moderate and High)
SOs shall ensure a sample of backup information is used in the restoration of selected
information system functions as part of contingency plan testing. Backup copies of the operating system and other critical information system software, as well as, copies of the information system inventory (including hardware, software, and firmware components), shall be stored in a separate facility or in a fire-rated container that is not co-located with the operational system.
(High)
6.3.9 Information System Recovery and Reconstitution (CP-10)
The goal of contingency planning is the successful recovery and reconstitution of the information system to a secure and usable state. Recovery is executing information system contingency plan activities to restore essential missions and business functions. Reconstitution takes place
following recovery and includes activities for returning the information system to its original functional state before contingency plan activation. Recovery and reconstitution procedures are based on organizational priorities, established recovery point/time and reconstitution objectives, and appropriate metrics. Reconstitution includes the deactivation of any interim information system capability that may have been needed during recovery operations. Reconstitution also includes an assessment of the fully restored information system capability, a potential system reauthorization and the necessary activities to prepare the system against another disruption, compromise, or failure. Recovery and reconstitution capabilities employed by the organization can be a combination of automated mechanisms and manual procedures.
SOs shall ensure the recovery and reconstitution of the information system is accomplished to a known state after a disruption, compromise, or failure.
SOs shall ensure implementation of transaction recovery for transaction-based systems.
Database management systems and transaction processing systems are examples of information systems that are transaction-based. Transaction rollback and transaction journaling are examples of mechanisms supporting transaction recovery. (Moderate and High)
SOs shall ensure compensating security controls are provided for circumstances that can inhibit recovery and reconstitution to a known state (e.g., baselines not kept or backups not
performed). (Moderate and High)
SOs shall ensure the capability is provided to reimage information system components within established recovery time objectives (RTO) from configuration-controlled and integrity-protected disk images representing a secure, operational state for the components. (High)