BRACKETOLOGY | FEDRAMP
CP-8: TELECOMMUNICATIONS SERVICES
-
FedRAMP Baseline Membership CP-8:
- MODERATE
- HIGH
FedRAMP Bracketology
Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH
Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.
Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.
To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open
Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.
There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions and business functions within organization-defined time period (See CP-8 additional FedRAMP requirements and guidance) when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
FedRAMP REQUIREMENT:
The service provider defines a time period consistent with the recovery time objectives and business impact analysis.
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions and business functions within organization-defined time period (See CP-8 additional FedRAMP requirements and guidance) when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
FedRAMP REQUIREMENT:
The service provider defines a time period consistent with the recovery time objectives and business impact analysis.
SUPPLEMENTAL GUIDANCE
This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.
RELATED CONTROLS: CP-8
CONTROL ENHANCEMENTS
CP-8 (1) TELECOMMUNICATIONS SERVICES | PRIORITY OF SERVICE PROVISIONS
-
FedRAMP Baseline Membership CP-8 (1):
- MODERATE
- HIGH
The organization:
- (a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and
- (b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.
Supplemental Guidance:
Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions.
CP-8 (2) TELECOMMUNICATIONS SERVICES | SINGLE POINTS OF FAILURE
-
FedRAMP Baseline Membership CP-8 (2):
- MODERATE
- HIGH
The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.
Supplemental Guidance: NONE
CP-8 (3) TELECOMMUNICATIONS SERVICES | SEPARATION OF PRIMARY / ALTERNATE PROVIDERS
-
FedRAMP Baseline Membership CP-8 (3):
- HIGH
The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.
Supplemental Guidance:
Threats that affect telecommunications services are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber/physical attacks, and errors of omission/commission. Organizations seek to reduce common susceptibilities by, for example, minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services meeting the separation needs addressed in the risk assessment.
CP-8 (4) TELECOMMUNICATIONS SERVICES | PROVIDER CONTINGENCY PLAN
-
FedRAMP Baseline Membership CP-8 (4):
- HIGH
The organization:
- (a) Requires primary and alternate telecommunications service providers to have contingency plans;
- (b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
- (c) Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency].
Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.
There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.
There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.
The organization:
- (a) Requires primary and alternate telecommunications service providers to have contingency plans;
- (b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
- (c) Obtains evidence of contingency testing/training by providers annually.
Supplemental Guidance:
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training.
CP-8 (5) TELECOMMUNICATIONS SERVICES | ALTERNATE TELECOMMUNICATION SERVICE TESTING
The organization tests alternate telecommunication services [Assignment: organization-defined frequency].
Supplemental Guidance: NONE
REFERENCES:
- NIST Special Publication 800-34
- National Communications Systems Directive 3-10
- http://www.dhs.gov/telecommunications-service-priority-tsp