1. Home
  2. FedRAMP
  3. CP-4

BRACKETOLOGY | FEDRAMP

CP-4: CONTINGENCY PLAN TESTING

  • FedRAMP Baseline Membership CP-4:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

    • a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
    • b. Reviews the contingency plan test results; and
    • c. Initiates corrective actions, if needed.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

The organization:

  • a. Tests the contingency plan for the information system at least annually for moderate impact systems; at least every three (3)years for low impact systems using functional exercises for moderate impact systems; classroom exercises/table top written tests for low impact systems to determine the effectiveness of the plan and the organizational readiness to execute the plan;
  • b. Reviews the contingency plan test results; and
  • c Initiates corrective actions, if needed.

FedRAMP REQUIREMENT:

The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended) and provides plans to FedRAMP prior to initiating testing. Test plans are approved and accepted by the JAB/AO prior to initiating testing.

The organization:

  • a. Tests the contingency plan for the information system at least annually for moderate impact systems; at least every three (3)years for low impact systems using functional exercises for moderate impact systems; classroom exercises/table top written tests for low impact systems to determine the effectiveness of the plan and the organizational readiness to execute the plan;
  • b. Reviews the contingency plan test results; and
  • c Initiates corrective actions, if needed.

FedRAMP REQUIREMENT:

The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended) and provides plans to FedRAMP prior to initiating testing. Test plans are approved and accepted by the JAB/AO prior to initiating testing.

The organization:

  • a. Tests the contingency plan for the information system at least annually using functional exercises to determine the effectiveness of the plan and the organizational readiness to execute the plan;
  • b. Reviews the contingency plan test results; and
  • c Initiates corrective actions, if needed.

FedRAMP REQUIREMENT:

The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended) and provides plans to FedRAMP prior to initiating testing. Test plans are approved and accepted by the JAB/AO prior to initiating testing.

SUPPLEMENTAL GUIDANCE

Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

CONTROL ENHANCEMENTS

CP-4 (1) CONTINGENCY PLAN TESTING | COORDINATE WITH RELATED PLANS
  • FedRAMP Baseline Membership CP-4 (1):
  • MODERATE
  • HIGH

The organization coordinates contingency plan testing with organizational elements responsible for related plans.

Supplemental Guidance:

Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. This control enhancement does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations should coordinate with those elements.

RELATED CONTROLS: CP-4 (1)

CP-4 (2) CONTINGENCY PLAN TESTING | ALTERNATE PROCESSING SITE
  • FedRAMP Baseline Membership CP-4 (2):
  • HIGH

The organization tests the contingency plan at the alternate processing site:

    • (a) To familiarize contingency personnel with the facility and available resources; and
    • (b) To evaluate the capabilities of the alternate processing site to support contingency operations.

Supplemental Guidance: NONE

RELATED CONTROLS: CP-4 (2)

CP-4 (3) CONTINGENCY PLAN TESTING | AUTOMATED TESTING

The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan.

Supplemental Guidance:

Automated mechanisms provide more thorough and effective testing of contingency plans, for example: (i) by providing more complete coverage of contingency issues; (ii) by selecting more realistic test scenarios and environments; and (iii) by effectively stressing the information system and supported missions.

CP-4 (4) CONTINGENCY PLAN TESTING | FULL RECOVERY / RECONSTITUTION

The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing.

Supplemental Guidance: NONE

RELATED CONTROLS: CP-4 (4)

REFERENCES:

  • FIPS Publication 199
  • Federal Continuity Directive 1
  • NIST Special Publication 800-34
  • NIST Special Publication 800-84