- Require primary and alternate telecommunications service providers to have contingency plans;
- Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and
- Obtain evidence of contingency testing and training by providers [Assignment: organization-defined frequency].
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security and state and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training.