Contingency Plan Testing CP-4

Overview:
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed.

Supplemental Guidance:
Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

Related controls: CP-2, CP-3, IR-3.

Action Items:
1) Ensure contingency plans are regularly tested

2) Analyze the test results and implement any corrective actions

Related Documents:
1) Contingency Plan Policy

Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
CP-4 (a)-1 [at least annually for moderate impact systems; at least every three years for low impact systems]
CP-4 (a)-2 [functional exercises for moderate impact systems; classroom exercises/table top written tests for low impact systems]

Moderate Additional FedRAMP Requirements and Guidance
CP-4 (a) Requirement: The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.