CP-4 CONTINGENCY PLAN TESTING

Page last updated:

PCF Compliance

Compliance with this requirement is the responsibility of the PCF deployer.


Control Description

The organization:

  1. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
  2. Reviews the contingency plan test results; and
  3. Initiates corrective actions, if needed.

Supplemental Guidance

Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.