CP-8(4)

Requirement
1. Require primary and alternate telecommunications service providers to have contingency plans;
2. Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and
3. Obtain evidence of contingency testing and training by providers [Assignment: organization-defined frequency].

Discussion

Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security and state and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: Contingency planning policy; procedures addressing primary and alternate telecommunications services; contingency plan; provider contingency plans; evidence of contingency testing/training by providers; primary and alternate telecommunications service agreements; system security plan; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with contingency planning, plan implementation, and testing responsibilities; primary and alternate telecommunications service providers; organizational personnel with information security responsibilities; organizational personnel with responsibility for acquisitions/contractual agreements].

ID	Assessment Objectives
CP-08(04)(c)[01]	evidence of contingency testing by providers is obtained <CP-08(04)_ODP[01] frequency>.
CP-08(04)(c)[02]	evidence of contingency training by providers is obtained <CP-08(04)_ODP[02] frequency>.
CP-08(04)(a)[01]	primary telecommunications service providers are required to have contingency plans;
CP-08(04)(a)[02]	alternate telecommunications service providers are required to have contingency plans;
CP-08(04)(b)	provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!