CP-2: Contingency Plan
From NIST's SP800-53:
a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. Addresses the sharing of contingency information; and 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinate contingency planning activities with incident handling activities; d. Review the contingency plan for the system [Assignment: organization-defined frequency]; e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and h. Protect the contingency plan from unauthorized disclosure and modification.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| RS.IM-1 | Response plans incorporate lessons learned |
| PR.IP-7 | Protection processes are improved |
| RS.RP-1 | Response plan is executed during or after an incident |
| PR.IP-9 | Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed |
| RS.CO-1 | Personnel know their roles and order of operations when a response is needed |
| ID.BE-1 | The organization’s role in the supply chain is identified and communicated |
| RS.CO-3 | Information is shared consistent with response plans |
| DE.AE-4 | Impact of events is determined |
| RC.IM-2 | Recovery strategies are updated |
| RS.AN-4 | Incidents are categorized consistent with response plans |
| RC.CO-3 | Recovery activities are communicated to internal and external stakeholders as well as executive and management teams |
| RC.IM-1 | Recovery plans incorporate lessons learned |
| ID.BE-5 | Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations) |
| RS.AN-2 | The impact of the incident is understood |
| ID.SC-5 | Response and recovery planning and testing are conducted with suppliers and third-party providers |
| ID.AM-5 | Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value |
| PR.DS-4 | Adequate capacity to ensure availability is maintained |
| ID.AM-6 | Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established |
| RS.IM-2 | Response strategies are updated |
| RS.CO-4 | Coordination with stakeholders occurs consistent with response plans |
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1561 | Disk Wipe | Impact |
| T1561.001 | Disk Content Wipe | Impact |
| T1486 | Data Encrypted for Impact | Impact |
| T1490 | Inhibit System Recovery | Impact |
| T1491.001 | Internal Defacement | Impact |
| T1485 | Data Destruction | Impact |
| T1561.002 | Disk Structure Wipe | Impact |
| T1491.002 | External Defacement | Impact |
| T1491 | Defacement | Impact |