NIST 800-53 REV 5 • CONTINGENCY PLANNING

CP-4(4)Full Recovery and Reconstitution

Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Organizations establish a known state for systems that includes system state information for hardware, software programs, and data. Preserving system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission and business processes.

Practitioner Notes

This enhancement requires full recovery and reconstitution testing — restoring the system completely from scratch to verify you can rebuild from bare metal if necessary.

Example 1: Annually perform a bare-metal restore of a critical server from backup to verify that your backup includes everything needed to fully rebuild the system.

Example 2: Test your infrastructure-as-code scripts (Terraform, ARM templates) by deploying a complete copy of your production environment from scratch in an isolated subscription.

More Contingency Planning Controls

CP-1 Policy and Procedures CP-2 Contingency Plan CP-2(1) Coordinate with Related Plans CP-2(2) Capacity Planning