ARTIFACTS
CP: CONTINGENCY PLANNING
What's On This Page
Each control family has a page dedicated to presenting all of the artifacts associated with the controls and control enhancements in that family. This is a consolidated view of the artifacts organized in a way to make the information usable. From here you can navigate to the individual control pages where the artifacts associated with each control or control enhancement are displayed with the control. You can use the Links Panels to select the individual controls or control enhancements you want to work with.
Supplement the artifacts here with other relevent documents and records dictated by your risk-based cybersecurity program and your information supply chain requirements.
The Source of the Artifacts
The control information comes from NIST Special Publication 800-53R4, Security and Privacy Controls for Information Systems and Organizationsand Special Publication and NIST Special Publication 800-53AR4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans. We've normalized the artifact names and annotated them with information useful in understanding these artifacts in the context of your digital enterprise, information supply chain, and security architecture.
Essential Artifacts for Risk-Based Cybersecurity Programs
This section includes core documents for risk-based cybersecurity; the POLICY & PROCEDURES document for Contingency Planning (CP); and documents that are widely used in the assessment of controls and control enhancements in the Contingency Planning (CP) Policy and Procedure documents from control families are in CAPS and identified with their two letter code.
| CORE ARTIFACTS |
| WIDELY USED ARTIFACTS FOR CONTINGENCY PLANNING (CP) |
| CONTINGENCY PLANNING POLICY & PROCEDURES (CP) |
| Contingency Planning (CP) policy |
| Information system design documentation |
| Information system configuration settings and associated documentation |
| Information system audit records |
Security Authorization Package Documents:
|
| ESSENTIALS |
| ACCESS CONTROL POLICY & PROCEDURES (AC) |
| Asset Inventory |
| AUDIT & ACCOUNTABILITY POLICY & PROCEDURES (AU) | Configuration Management Plan |
| CONFIGURATION MANAGEMENT POLICY & PROCEDURES (CM) |
Contingency Plan
|
| CONTINGENCY PLANNING POLICY & PROCEDURES (CP) |
| Continuous Monitoring Strategy |
| Continuous Monitoring Plan |
| Enterprise Architecture (EA) |
| IDENTIFICATION & AUTHENTICATION POLICY & PROCEDURES (IA) |
| INCIDENT RESPONSE POLICY & PROCEDURES (IR) |
| INFORMATION SECURITY PROGRAM PLAN (PM) |
| MEDIA PROTECTION POLICY & PROCEDURES (MP) |
| PERSONNEL SECURITY POLICY & PROCEDURES (PS) |
| PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY & PROCEDURES (PE) |
| Privacy Impact Assessment |
| Privacy Program Plan |
| Risk Assessment |
| RISK ASSESSMENT POLICY & PROCEDURES (RA) |
| SECURITY ASSESSMENT & AUTHORIZATION POLICY & PROCEDURES (CA) |
| SECURITY AWARENESS AND TRAINING POLICY & PROCEDURES (AT) |
| Security Configurations |
| SECURITY PLANNING POLICY & PROCEDURES (PL) |
| SYSTEM AND COMMUNICATIONS PROTECTION POLICY & PROCEDURES (SC) |
| SYSTEM AND INFORMATION INTEGRITY POLICY & PROCEDURES (SI) |
| SYSTEM AND SERVICES ACQUISITION POLICY & PROCEDURES (SA) |
| System Interconnection Agreements |
| SYSTEM MAINTENANCE POLICY & PROCEDURES (MA) |
Policy & Procedures
Here you'll find a catalog of Contingency Planning (CP) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
| POLICES & PROCEDURES | APPLICABLE CONTROL(S) |
| Contingency planning POLICY & PROCEDURES | CP-1 |
| Procedures addressing alternate telecommunications services | CP-8 (5) |
| Procedures addressing primary and alternate telecommunications services | CP-8 (3) |
| Procedures addressing alternate processing sites | CP-7 CP-7 (1) CP-7 (2) CP-7 (3) CP-7 (4) CP-7 (6) |
| Procedures addressing alternate security mechanisms | CP-13 |
| Procedures addressing alternate storage sites | CP-6 CP-6 (1) CP-6 (2) CP-6 (3) |
| Procedures addressing alternate telecommunications services | CP-8 |
| Procedures addressing alternative communications protocols | CP-11 |
| Procedures addressing contingency operations for the information system | CP-2 CP-2 (1) CP-2 (2) CP-2 (3) CP-2 (4) CP-2 (5) CP-2 (6) CP-2 (7) CP-2 (8) |
| Procedures addressing contingency plan testing | CP-4 CP-4 (1) CP-4 (2) CP-4 (3) |
| Procedures addressing contingency training | CP-3 CP-3 (1) CP-3 (2) |
| Procedures addressing information system backup | CP-9 CP-9 (1) CP-9 (2) CP-9 (3) CP-9 (5) CP-9 (6) CP-9 (7) CP-10 |
| Procedures addressing information system recovery and reconstitution | CP-4 (4) CP-10 (2) CP-10 (4) CP-10 (6) |
| Procedures addressing primary and alternate telecommunications services | CP-8 (1) CP-8 (2) CP-8 (4) |
| Procedures addressing safe mode of operation for the information system | CP-12 |
Evidence, Records & Artifacts
Here you'll find a catalog of Contingency Planning (CP) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
| ARTIFACT | APPLICABLE CONTROL(S) |
| Alternate processing site | CP-7 (1) CP-7 (2) CP-7 (4) CP-7 (6) |
| Alternate processing site agreements | CP-2 (5) CP-2 (6) CP-4 (2) CP-7 CP-7 (1) CP-7 (2) CP-7 (3) CP-7 (4) CP-7 (6) CP-7 (4) CP-7 (6) |
| Alternate processing site configurations | CP-7 (4) CP-7 (6) |
| Alternate storage site | CP-6 (1) CP-6 (2) CP-6 (3) |
| Alternate storage site agreements | CP-2 (5) CP-2 (6) CP-6 CP-6 (1) CP-6 (2) CP-9 (5) |
| Alternate storage site configurations | CP-6 (2) |
| Alternate telecommunications service agreements | CP-8 (5) |
| Alternate telecommunications service provider site | CP-8 (3) |
| Automated mechanisms supporting contingency plan testing | CP-4 (3) |
| Backup storage location(s) | CP-9 (3) |
| Business impact assessment | CP-2 (3) CP-2 (4) CP-2 (5) CP-2 (6) CP-2 (8) |
| Capacity planning documents | CP-2 (2) |
| Contingency plan requirements | CP-2 (7) |
| Contingency plan test documentation | CP-2 (5) CP-4 CP-4 (2) CP-4 (3) CP-4 (4) CP-9 (1) CP-9 (2) CP-9 (6) CP-10 CP-10 (2) CP-10 (4) |
| Contingency plan test records | CP-12 CP-13 |
| Contingency plan test results | CP-2 (5) CP-2 (6) CP-4 CP-4 (2) CP-4 (3) CP-4 (4) CP-9 (1) CP-9 (2) CP-9 (6) CP-10 CP-10 (2) CP-10 (4) CP-13 |
| Contingency plan testing documentation | CP-2 (6) CP-4 (1) |
| Contingency plans of external service providers | CP-2 (7) |
| Contingency training curriculum | CP-3 CP-3 (1) CP-3 (2) |
| Contingency training material | CP-3 CP-3 (1) CP-3 (2) |
| Contingency training records | CP-3 |
| Equipment and supply contracts | CP-7 |
| Evidence of contingency plan reviews and updates | CP-2 |
| Evidence of contingency testing/training by providers | CP-8 (4) |
| Evidence of information system recovery and reconstitution operations | CP-10 (4) |
| Evidence of system backup information transferred to alternate storage site | CP-9 (5) |
| Evidence of testing alternate telecommunications services | CP-8 (5) |
| Incident handling records | CP-12 |
| Incident response policy | CP-4 (1) |
| Information system administration manuals | CP-12 |
| Information system audit records | CP-10 (2)
|
| Information system backup configurations and associated documentation | CP-9 (3) |
| Information system backup logs or records | CP-9 CP-9 (3) CP-9 (5) |
| Information system backup test results | CP-9 (1) CP-9 (2) CP-9 (6) CP-10 |
| Information system installation manuals | CP-12 |
| Information system operation manuals | CP-12 |
| Information system transaction recovery records | CP-10 (2) |
| Location(s) of redundant secondary backup system(s) | CP-9 (6) CP-10 |
| Logical access authorization records | CP-10 (6) |
| Logical access credentials | CP-10 (6) |
| Logs or records of deletion or destruction of backup information | CP-9 (7) |
| Mitigation actions for accessibility problems to alternate storage site | CP-6 (3) |
| Organizational risk assessments | CP-6 (3) |
| Physical access authorization records | CP-10 (6) |
| Physical access credentials | CP-10 (6) |
| Primary and alternate telecommunications service agreements | CP-8 CP-8 (1) CP-8 (2) CP-8 (3) CP-8 (4) |
| Primary processing site agreements | CP-2 (5) CP-7 CP-7 (1) CP-7 (2) |
| Primary storage site agreements | CP-2 (5) CP-6 CP-6 (1) |
| Primary telecommunications service provider site | CP-8 (3) |
| Redundant secondary system for information system backups | CP-9 (6) |
| Redundant secondary system for information system backups | CP-10 |
| Service level agreements | CP-2 (7) CP-4 (2) CP-7 CP-7 (3) |
| Spare equipment and supplies inventory at alternate processing site | CP-7 |
| System generated list of dual authorization credentials or rules | CP-9 (7) |
| Telecommunications Service Priority documentation | CP-8 (1) |
Contingency Planning Related Lists
These are the Contingency Planning (CP) related lists you may need to support your security program. For the lists applicable to your systems and informations supply chain you should know the source of the list and the data it contains; how the lists are generated, where they are stored, and how they are maintained, and how to get the when you have an incident, an incident investigation or an audit.
| LIST | APPLICABLE CONTROL(S) |
| List of alternative communications protocols supporting continuity of operations | CP-11 |
| List of potential accessibility problems to alternate storage site | CP-6 (3) |