1. Home
  2. FedRAMP
  3. CP-10

BRACKETOLOGY | FEDRAMP

CP-10: INFORMATION SYSTEM RECOVERY AND RECONSTITUTION

  • FedRAMP Baseline Membership CP-10:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.

SUPPLEMENTAL GUIDANCE

Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures.

CONTROL ENHANCEMENTS

CP-10 (1) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | CONTINGENCY PLAN TESTING

[Withdrawn: Incorporated into CP-4].

CP-10 (2) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | TRANSACTION RECOVERY
  • FedRAMP Baseline Membership CP-10 (2):
  • MODERATE
  • HIGH

The information system implements transaction recovery for systems that are transaction-based.

Supplemental Guidance:

Transaction-based information systems include, for example, database management systems and transaction processing systems. Mechanisms supporting transaction recovery include, for example, transaction rollback and transaction journaling.

CP-10 (3) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | COMPENSATING SECURITY CONTROLS

[Withdrawn: Addressed through tailoring procedures].

CP-10 (4) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | RESTORE WITHIN TIME PERIOD
  • FedRAMP Baseline Membership CP-10 (4):
  • HIGH

The organization provides the capability to restore information system components within [Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components.

CP-10 (4)

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

The organization provides the capability to restore information system components within time period consistent with the restoration time-periods defined in the service provider and organization SLA from configuration-controlled and integrity-protected information representing a known, operational state for the components.


Supplemental Guidance:

Restoration of information system components includes, for example, reimaging which restores components to known, operational states.

RELATED CONTROLS: CP-10 (4)

CP-10 (5) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | FAILOVER CAPABILITY

[Withdrawn: Incorporated into SI-13].

CP-10 (6) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | COMPONENT PROTECTION

The organization protects backup and restoration hardware, firmware, and software.

Supplemental Guidance:

Protection of backup and restoration hardware, firmware, and software components includes both physical and technical safeguards. Backup and restoration software includes, for example, router tables, compilers, and other security-relevant system software.

RELATED CONTROLS: CP-10 (6)

REFERENCES:

  • Federal Continuity Directive 1
  • NIST Special Publication 800-34