Contingency Plan

Approach basics → §4.x

Program ownership and the recovery objectives that drive everything else.

Contingency-planning program lead * Role accountable for keeping the plan current and the program operating (e.g., 'Director of IT Operations', 'Business Continuity Manager').

Recovery Time Objective (RTO) * Target time from disruption to restored operation (e.g., '4 hours', '1 business day'). Drives the alternate-site and backup strategies.

Recovery Point Objective (RPO) * Maximum acceptable data loss measured in time (e.g., '1 hour', '24 hours'). Drives the backup frequency.

Maximum Tolerable Period of Disruption (MTPD / MTD) Hard upper bound on how long the system can be down before consequences become unacceptable. Drives the alternate-processing strategy.

Mission criticality tier — Select — Mission Essential Function (MEF) Primary Mission Essential Function (PMEF) Mission Critical (Tier 1) Mission Important (Tier 2) Routine (Tier 3) How critical the system is to the mission. Federal MEF/PMEF terminology per FCD 1; lower tiers are organizational classifications.

Business Impact Analysis (BIA) → §4.x

What functions the system supports, what depends on it, and the tolerance for disruption.

Critical functions supported Mission / business functions the system supports. State which are time-critical and why.

Upstream dependencies Other systems / services this system depends on (auth, network, storage, payments, etc.). Recovery cannot complete without these. Reference SA-9 if external.

Downstream dependents Systems / services that depend on THIS system. They will also be affected by a disruption.

Impact categories evaluated

Operational disruption Financial loss Regulatory / compliance violation Reputational damage Loss of life / safety Mission failure Data loss / corruption

BIA owner role Role responsible for keeping the BIA current. Often the System Owner or Business Continuity Manager.

BIA review cadence — Select — Annually Semi-annually On material system change Annually + on material change

Alternate Storage and Processing → §4.x

Off-site storage and failover processing capabilities (CP-6, CP-7).

Alternate storage site Where backups and configuration baselines live in off-site / cross-region storage. Distance from primary, access controls.

Alternate processing site Where the system can run when the primary is unavailable. Cloud cross-region, hot/warm/cold site, mutual-aid agreement.

Alternate-site readiness — Select — Hot site (continuous standby; near-zero RTO) Warm site (provisioned but not running; minutes-to-hours RTO) Cold site (capability only; days RTO) Mutual aid agreement Cloud cross-region (active-active) Cloud cross-region (active-passive) None (single-site; document risk acceptance)

Geographic separation Distance from primary site in miles / km, or cloud-region pair (e.g., 'us-gov-west-1 → us-gov-east-1, ~2400 mi').

Site activation / access procedure How the alternate site is activated. Who authorizes? What credentials / access are pre-positioned?

System Backup Strategy → §4.x

Backup types, frequency, retention, and integrity verification (CP-9). Overlaps with the CM plan's backup_strategy group; the CP plan focuses on disaster-recovery use, the CM plan focuses on configuration restoration.

Backup types performed

Full system image File-level full backup File-level incremental File-level differential Database transaction log backups Database snapshot Configuration export (CMDB / IaC) User data backup

Backup frequency How often each backup type runs. Tied to RPO target.

Backup retention How long each backup type is retained. Often shorter for incremental, longer for full.

Offsite copy Where the offsite copy lives. Same as alternate storage site or distinct? Encryption in transit and at rest.

Integrity verification cadence How often backup integrity is verified (hash check + restore test). Separate from full restoration test.

Restoration test cadence How often a real restore is exercised end-to-end (e.g., 'Quarterly restore-from-cold to scratch environment').

Recovery Strategy → §4.x

How the system is restored from backup or alternate site (CP-10).

Recovery phases Phases per NIST SP 800-34: Activation/Notification → Recovery → Reconstitution → Plan Deactivation. Document who does what at each phase.

Recovery runbook location Where the technical step-by-step runbook lives. Should be accessible during a primary-site outage.

Recovery decision authority Role authorized to declare a contingency event and trigger recovery (e.g., 'CP Program Lead in coordination with System Owner').

Component recovery priority order Order in which components / services are restored. Database first? Auth first? Document the dependency chain.

Reconstitution validation How the recovered system is validated before returning to production (smoke tests, security scans, data-integrity checks).

Telecommunications Continuity (CP-8) → §4.x

Primary and alternate communication paths.

Primary telecommunications service Main connectivity for the system (carrier + technology, e.g., 'AT&T MPLS + fiber').

Alternate telecommunications service Diverse-path backup connectivity. Different carrier? Different technology? Different physical entry to the building?

Telecommunications Service Priority (TSP) enrollment — Select — Yes — TSP enrolled (federal priority restoration) No — not enrolled Not applicable (cloud-based system)

Diversity verification cadence How often path diversity is verified — carriers can converge to common physical paths over time without notice.

Training and Exercises (CP-3, CP-4) → §4.x

Contingency-specific training and the exercise program.

CP training audiences

CP team / responders System administrators (recovery operators) On-call engineers System Owner + leadership All system users (general awareness of safe-mode)

CP training cadence — Select — Annually Annually + on role change Quarterly tabletop bites + annual full training

Exercise types performed

Tabletop (discussion-based) Walkthrough (procedural) Functional (technical drill on test systems) Full-scale (failover to alternate site, real systems) Restore-from-backup test Joint exercise with IR team

Exercise cadence — Select — Annually (one full-scale) Semi-annually (mix) Quarterly tabletop + annual full-scale Continuous (chaos engineering / planned failover drills)

After-action / lessons-learned process How exercise findings are tracked to closure (POA&M, internal tracker), and the cadence for revalidating closure.

Safe Mode and Degraded Operations (CP-12) → §4.x

How the system continues operating in a degraded state during a disruption.

Safe-mode definition What functions remain available in safe mode? What's disabled? Read-only access only? Reduced user populations?

Safe-mode entry triggers What conditions cause the system to enter safe mode (automated or manual). Detection thresholds.

User communication during degradation How users are informed of degraded operation and remaining capabilities (status page, banner, email).

Safe-mode exit criteria Conditions for returning to full operation. Validation steps before exit.

System Criticality Overview → §2.x

High-level summary of how critical the system is to the mission.

Approximate users affected by disruption Order-of-magnitude count of users / dependent systems who would be impacted.

Revenue / mission impact per hour of disruption If quantifiable. Otherwise qualitative — 'mission-essential', 'core operations halted', etc.

Compliance impact of disruption Regulatory / contractual obligations that disruption would violate (uptime SLA, public-facing service requirement, etc.).

Contingency Metrics & KPIs → §6.x

Metrics tracked to demonstrate CP control effectiveness over time.

Tracked metrics

Add item

Suggested: + RTO actual vs target (median + worst case) + RPO actual vs target (median + worst case) + Backup-success rate (target: 99%+) + Restoration-test success rate (target: 100%) + Exercise findings closed within target + Mean time to declare contingency event + Time-since-last-restoration test (days) + Alternate-site failover-test outcomes + % recovery runbooks current within review cadence

Plan Review Cadence → §6.x

When and why the plan is revised.

Scheduled plan review cadence — Select — Annually Semi-annually Annually + after every exercise

Triggers beyond scheduled review Events that force a plan revision outside the annual schedule (real disruption, organizational restructure, major architecture change).

Plan distribution / access control Who receives the plan, and how access is controlled (the plan often contains procedural detail useful to attackers — control distribution accordingly).

Cross-references to other RMF artifacts → §7

Where this plan plugs into the broader RMF package.

SSP section reference Where in the SSP the CP control implementations are summarized (e.g., 'SSP §13.7').

POA&M ID prefix for CP findings Convention for CP-related POA&M items (e.g., 'POAM-CP-').

IR plan cross-reference How recovery from cybersecurity incidents coordinates with the IR plan's recovery phase.

CM plan backup_strategy cross-reference How CP backup activities coordinate with the CM plan's baseline-storage and integrity-protection approach.

CA-7 continuous-monitoring strategy reference Pointer to the CA-7 monitoring strategy document tying CP continuous-monitoring metrics to the broader ConMon plan.