πΌ CP-2 CONTINGENCY PLAN
- Contextual name: πΌ CP-2 CONTINGENCY PLAN
- ID:
/frameworks/nist-sp-800-53-r4/cp/02
- Located in: πΌ CP CONTINGENCY PLANNING
Descriptionβ
The organization: CP-2a. Develops a contingency plan for the information system that: CP-2a.1. Identifies essential missions and business functions and associated contingency requirements; CP-2a.2. Provides recovery objectives, restoration priorities, and metrics; CP-2a.3. Addresses contingency roles, responsibilities, assigned individuals with contact information; CP-2a.4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; CP-2a.5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and CP-2a.6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; CP-2b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; CP-2c. Coordinates contingency planning activities with incident handling activities; CP-2d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; CP-2e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; CP-2f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and CP-2g. Protects the contingency plan from unauthorized disclosure and modification.
Similarβ
Similar Sections (Give Policies To)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|
| πΌ NIST CSF v1.1 β πΌ DE.AE-4: Impact of events is determined | | 14 | 14 | |
| πΌ NIST CSF v1.1 β πΌ ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value | | | | |
| πΌ NIST CSF v1.1 β πΌ ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established | | | | |
| πΌ NIST CSF v1.1 β πΌ ID.BE-1: The organization's role in the supply chain is identified and communicated | | | | |
| πΌ NIST CSF v1.1 β πΌ ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations) | | 4 | 4 | |
| πΌ NIST CSF v1.1 β πΌ ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers | | 1 | 1 | |
| πΌ NIST CSF v1.1 β πΌ PR.DS-4: Adequate capacity to ensure availability is maintained | | 1 | 1 | |
| πΌ NIST CSF v1.1 β πΌ PR.IP-7: Protection processes are improved | | | 2 | |
| πΌ NIST CSF v1.1 β πΌ PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed | | 3 | 3 | |
| πΌ NIST CSF v1.1 β πΌ RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams | | | | |
| πΌ NIST CSF v1.1 β πΌ RC.IM-1: Recovery plans incorporate lessons learned | | | | |
| πΌ NIST CSF v1.1 β πΌ RC.IM-2: Recovery strategies are updated | | | | |
| πΌ NIST CSF v1.1 β πΌ RS.AN-2: The impact of the incident is understood | | | | |
| πΌ NIST CSF v1.1 β πΌ RS.AN-4: Incidents are categorized consistent with response plans | | | | |
| πΌ NIST CSF v1.1 β πΌ RS.CO-1: Personnel know their roles and order of operations when a response is needed | | | | |
| πΌ NIST CSF v1.1 β πΌ RS.CO-3: Information is shared consistent with response plans | | 16 | 17 | |
| πΌ NIST CSF v1.1 β πΌ RS.CO-4: Coordination with stakeholders occurs consistent with response plans | | | | |
| πΌ NIST CSF v1.1 β πΌ RS.IM-1: Response plans incorporate lessons learned | | | | |
| πΌ NIST CSF v1.1 β πΌ RS.IM-2: Response strategies are updated | | | | |
| πΌ NIST CSF v1.1 β πΌ RS.RP-1: Response plan is executed during or after an incident | | | | |
Sub Sectionsβ