BRACKETOLOGY | FEDRAMP
CP-3: CONTINGENCY TRAINING
-
FedRAMP Baseline Membership CP-3:
- LOW
- MODERATE
- HIGH
FedRAMP Bracketology
Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH
Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.
Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.
To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open
Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
- a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
- b. When required by information system changes; and
- c. [Assignment: organization-defined frequency] thereafter.
Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
- a. Within ten (10) days of assuming a contingency role or responsibility;
- b. When required by information system changes; and
- c. at least annually thereafter.
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
- a. Within ten (10) days of assuming a contingency role or responsibility;
- b. When required by information system changes; and
- c. at least annually thereafter.
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
- a. Within ten (10) days of assuming a contingency role or responsibility;
- b. When required by information system changes; and
- c. at least annually thereafter.
SUPPLEMENTAL GUIDANCE
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan.
RELATED CONTROLS: CP-3
CONTROL ENHANCEMENTS
CP-3 (1) CONTINGENCY TRAINING | SIMULATED EVENTS
-
FedRAMP Baseline Membership CP-3 (1):
- HIGH
The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.
Supplemental Guidance: NONE
CP-3 (2) CONTINGENCY TRAINING | AUTOMATED TRAINING ENVIRONMENTS
The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment.
Supplemental Guidance: NONE
REFERENCES:
- Federal Continuity Directive 1
- NIST Special Publication 800-16
- NIST Special Publication 800-50