Contingency Planning Deep Dive
Deep Dive into Changes to the Contingency Planning Family in FedRAMP Revision 5
The FedRAMP Program Management Office (PMO) has released new proposed baselines based on NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, (NIST SP 800-53 Rev5). Here we will take a closer look at the changes to the Contingency Planning control family that the new baselines bring.
Considerable Changes to the Low, Moderate, and High baselines include:
- Policies and procedures will now need to be designated as either organizational, mission or business process, or system-level
- A requirement to designate a specific official to manage the development, documentation, dissemination of policies and procedures
- A requirement to update policies and procedures after specified events
- A complete rewrite of the CP-2 control, which removed parameters to define personnel reviewing and approving the Information System Contingency Plan (ISCP), parameters to define personnel the ISCP is distributed to, and parameters defining personnel that are notified of changes to the ISCP
- An inclusion of defining systems operations that process personally identifiable information
- A new requirement to review and update contingency training content and the addition of a parameter defining the frequency of reviews and updates
- A new parameter defining the system components containing backups of user-level information
- An addition of a new parameter defining recovery time and recovery point objectives
Considerable Changes to the Moderate and High baselines include:
- An addition of a parameter defining the selection of mission and business functions used to support essential missions
- An addition of a new control requiring implementation of cryptographic mechanisms used to prevent unauthorized disclosure and modification of specified backup information
Check back here for more deep dives into changes in each control family and updates on the proposed baselines from the FedRAMP PMO. Contact InfusionPoints for assistance with your FedRAMP journey. https://lz.infusionpoints.com/fedramp