Organizational Control: Contingency Plan Testing

Control ID: CP-4 Contingency Plan Testing Family: Contingency Planning Source: NIST 800-53r4
Control: The organization:
  1. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
  2. Reviews the contingency plan test results; and
  3. Initiates corrective actions, if needed.
Supplemental Guidance:
Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

Related Controls: CP-2, CP-3, IR-3
Control Enhancements: N/A
References: Federal Continuity Directive 1; FIPS Publication 199; NIST Special Publications 800-34, 800-84.
Mechanisms:
Protocol Implementation Conformance Statements: N/A