Skip to Content

Alternate Processing Site CP-7

678  Matthew Burdick September 29, 2022  Contingency Planning (CP)

Overview:
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.


Supplemental Guidance:
Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems.


Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6.


Action Items:
1) Establish a an alternate processing site for operations and ensure it is secured and sufficiently separated from the primary site

 

Related Documents:
1) Contingency Plan Policy

2) Business Continuity Plans

3) Disaster Recovery Plan


Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
none


Moderate Additional FedRAMP Requirements and Guidance
CP-7 (a) Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis.
Not Rated
Secure Code