NIST 800-53 REV 5 • CONTINGENCY PLANNING

CP-4Contingency Plan Testing

Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}. Review the contingency plan test results; and Initiate corrective actions, if needed.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

Practitioner Notes

You must regularly test your contingency plan to make sure it actually works. A plan that has never been tested is just a hope, not a plan.

Example 1: Conduct an annual full backup restoration test where you restore critical systems from backup media to verify the backups are complete and the procedures are accurate.

Example 2: Run a semi-annual tabletop exercise with IT leadership and key staff to walk through a disaster scenario, identify gaps in the plan, and update procedures accordingly.

More Contingency Planning Controls

CP-1 Policy and Procedures CP-2 Contingency Plan CP-2(1) Coordinate with Related Plans CP-2(2) Capacity Planning