NIST 800-53 REV 5 • CONTINGENCY PLANNING

CP-8(4)Provider Contingency Plan

Require primary and alternate telecommunications service providers to have contingency plans; Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and Obtain evidence of contingency testing and training by providers {{ insert: param, cp-8.4_prm_1 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security and state and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training.

Practitioner Notes

This enhancement requires your telecommunications provider to have their own contingency plan — their ability to recover affects your ability to recover.

Example 1: Request your ISP's business continuity plan and review it to understand their recovery capabilities, redundancy, and expected restoration times during a major outage.

Example 2: Include provider contingency plan review as a criterion in your vendor risk assessment process, and re-evaluate annually during contract renewals.

More Contingency Planning Controls

CP-1 Policy and Procedures CP-2 Contingency Plan CP-2(1) Coordinate with Related Plans CP-2(2) Capacity Planning