1. Home
  2. FedRAMP
  3. CP-7

BRACKETOLOGY | FEDRAMP

CP-7: ALTERNATE PROCESSING SITE

  • FedRAMP Baseline Membership CP-7:
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

    • a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
    • b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
    • c. Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

The organization:

  • a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions within organization-defined time period consistent with recovery time and recovery point objectives (See additional FedRAMP requirements ) when the primary processing capabilities are unavailable;
  • b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
  • c. Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.

FedRAMP REQUIREMENT:

The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

The organization:

  • a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions within organization-defined time period consistent with recovery time and recovery point objectives (See additional FedRAMP requirements ) when the primary processing capabilities are unavailable;
  • b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
  • c. Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.

FedRAMP REQUIREMENT:

The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

SUPPLEMENTAL GUIDANCE

Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems.

CONTROL ENHANCEMENTS

CP-7 (1) ALTERNATE PROCESSING SITE | SEPARATION FROM PRIMARY SITE
  • FedRAMP Baseline Membership CP-7 (1):
  • MODERATE
  • HIGH

The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber-attack), the degree of separation between sites will be less relevant.

FedRAMP GUIDANCE:

The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber-attack), the degree of separation between sites will be less relevant.

FedRAMP GUIDANCE:

The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber-attack), the degree of separation between sites will be less relevant.


Supplemental Guidance:

Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant.

RELATED CONTROLS: CP-7 (1)

CP-7 (2) ALTERNATE PROCESSING SITE | ACCESSIBILITY
  • FedRAMP Baseline Membership CP-7 (2):
  • MODERATE
  • HIGH

The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

Supplemental Guidance:

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk.

RELATED CONTROLS: CP-7 (2)

CP-7 (3) ALTERNATE PROCESSING SITE | PRIORITY OF SERVICE
  • FedRAMP Baseline Membership CP-7 (3):
  • MODERATE
  • HIGH

The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).

Supplemental Guidance:

Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources at the alternate processing site.

CP-7 (4) ALTERNATE PROCESSING SITE | PREPARATION FOR USE
  • FedRAMP Baseline Membership CP-7 (4):
  • HIGH

The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions.

Supplemental Guidance:

Site preparation includes, for example, establishing configuration settings for information system components at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and other logistical considerations are in place.

RELATED CONTROLS: CP-7 (4)

CP-7 (5) ALTERNATE PROCESSING SITE | EQUIVALENT INFORMATION SECURITY SAFEGUARDS

[Withdrawn: Incorporated into CP-7]. (See above)

CP-7 (6) ALTERNATE PROCESSING SITE | INABILITY TO RETURN TO PRIMARY SITE

The organization plans and prepares for circumstances that preclude returning to the primary processing site.

Supplemental Guidance: NONE

REFERENCES:

  • NIST Special Publication 800-34