SlideShare a Scribd company logo

NIST SP 800-34 Guide for IT Contingency Planning

S
SuriaRao2

NIST SP 800-34, Revision 1 updates the guidance for contingency planning for federal information systems. The revision: - Aligns with NIST SP 800-53 and incorporates contingency planning into the Risk Management Framework. - Provides more templates and guidance for developing system-specific contingency plans tailored to impact levels. - Clarifies relationships between various continuity/contingency plans like COOP, BCP, and ISCPs. - Links testing, training, and exercise requirements more closely to NIST and FIPS standards.

Technology
1 of 23
Download to read offline
Marianne Swanson NIST SP 800-34, Revision 1 – Contingency Planning Guide for Federal Information Systems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
1 Filename/RPS Number Table Of Contents –Introduction to NIST SP 800-34 –Summary of Changes in NIST SP 800-34 Revision 1 –NIST Future Plans –Questions
2 Filename/RPS Number Introduction to NIST SP 800-34 National Institute of Standards and Technology (NIST) is responsible for “developing standards and guidelines for providing adequate information security for all agency operations and assets”. NIST has a series of Special Publications (SP) and Federal Information Processing Standards (FIPS) that provide federal agencies with standards and guidelines for most aspects of information systems security. – NIST security Publications can be found at: http://csrc.nist.gov/publications/index.html NIST SP 800-34 – Contingency Planning Guide for Information Technology (IT) Systems -was first published in June 2002, and provides instructions, recommendations, and considerations for government IT contingency planning. Contingency Planning refers to interim measures to recover IT services following an emergency or system disruption. While designed for federal systems, NIST SP 800-34 has been used as the guideline for contingency planning throughout much of the private sector.
3 Need for the Revision to NIST SP 800-34 Aligns NIST SP 800-53 Rev. 3, contingency planning security controls (CP-family). – FIPS 199 impact levels – Annual testing for FIPS 199 low impact systems Incorporates contingency planning into the six phases of the Risk Management Framework.
4 Overall Changes to NIST SP 800-34 Filename/RPS Number Revision 1 covers three common types of platforms, making the scope more inclusive (Client/servers, Telecommunications systems, and Mainframes). There is a bigger focus on the Information System Contingency Plan (ISCP) as it relates to the differing levels of FIPS 199 impact levels. General Support Systems (GSS) and Major Applications (MA) categories have been removed. Introduces the concept of resiliency and shows how ISCP fits into an organization’s resiliency effort. Works to more clearly define the different types of plans included in resiliency, continuity and contingency planning. Throughout the guide, call out boxes clarify the specific differences and relationships between COOP and ISCP.
5 Resiliency is a concept that is gaining widespread acceptance in the continuity and contingency planning Department of Homeland Security (DHS) defines resiliency as the “ability to resist, absorb, recover from or successfully adapt to adversity or a change in conditions”. Resiliency is not a process, but rather an end-state for organizations. Resilient organizations continually work to adapt to changes and risks that can affect their ability to continue critical functions. An effective resiliency program includes risk management, contingency and continuity planning, and other security and emergency management activities. Filename/RPS Number The Goal of A Resilient Organization Continue Mission Essential Functions at All Times During Any Type of Disruption
6 NIST SP 800-34 Revision 1 provides more clarity to the role and function of various contingency and continuity plans Plan Purpose Scope Plan Relationship Business Continuity Plan (BCP) Provides procedures for sustaining business operations while recovering from a significant disruption. Addresses business processes at a lower or expanded level from COOP mission essential functions Mission/business process focused plan that may be activated in coordination with a COOP plan to sustain non- mission essential functions . Continuity of Operations (COOP) Plan Provides procedures and guidance to sustain an organization’s mission essential functions at an alternate site for up to 30 days; mandated by federal directives. Addresses the mission essential functions; facility- based plan; information systems are addressed based only on their support to the mission essential functions. Mission essential function focused plan that may also activate several business unit- level BCPs, ISCPs, or DRPs, as appropriate. Crisis Communications Plan Provides procedures for disseminating internal and external communications; means to provide critical status information and control rumors. Addresses communications with personnel and the public; not information system focused. Incident-based plan often activated with a COOP or BCP, but may be used alone during a public exposure event. Critical Infrastructure Protection (CIP) Plan Provides policies and procedures for protection of national critical infrastructure components, as defined in the National Infrastructure Protection Plan. Addresses critical infrastructure components that are supported or operated by an agency or organization. Risk management plan that supports COOP plans for organizations with CI/KR assets. Filename/RPS Number
7 NIST SP 800-34 Revision 1 provides more clarity to the role and function of various contingency and continuity plans Plan Purpose Scope Plan Relationship Cyber Incident Response Plan Provides procedures for mitigating and correcting a system cyber attack, such as a virus, worm, or Trojan horse. Addresses mitigation and isolation of affected systems, cleanup, and minimizing loss of information. Information system focused plan that may activate an ISCP or DRP, depending on the extent of the attack. Disaster Recovery Plan (DRP) Provides procedures for relocating information systems operations to an alternate location. Activated after major system disruptions with long-term effects. Information system focused plan that activates one or more ISCPs for recovery of individual systems.. Information System Contingency Plan (ISCP) Provides procedures and capabilities for recovering an information system. Location-independent plan that focuses on the procedures needed to recovery a system at the current or an alternate location. Information system focused plan that may be activated independent from other plans or as part of a larger recovery effort coordinated with a DRP, COOP, and/or BCP. Occupant Emergency Plan (OEP) Provides coordinated procedures for minimizing loss of life or injury and protecting property damage in response to a physical threat. Focuses on personnel and property particular to the specific facility; not business process or information system-based. Incident-based plan that is initiated immediately after an event, preceding a COOP or DRP activation. Filename/RPS Number
8 A new graphic has been developed to better convey the relationships of the different types of plans to the organization Filename/RPS Number
9 The Business Impact Analysis (BIA) was revised to more closely tie to Federal standards and guidelines The process for the BIA has been revised to closely tie to FIPS 199 impact levels and NIST SP 800-53 Rev. 3 Contingency Planning (CP) controls. – The BIA process now takes into consideration that impact levels are determined as part of the security categorization process. – Federal Information Processing Standard (FIPS 199) - http://csrc.nist.gov/publications/fips/fips199/FIPS- PUB-199-final.pdf The term Maximum Tolerable Downtime (MTD) is defined and discussed in relation to Recovery Time Objective (RTO) and Recovery Point Objective (RPO). The BIA discussion addresses the differences between BIAs required for systems and those required by Federal Continuity Directives (FCD) -1 and 2 for Continuity of Operations (COOP) Mission Essential Functions (MEF). Filename/RPS Number
10 NIST SP 800-53 – Recommended Security Controls for Federal Information Systems and Organizations define 9 CP controls Filename/RPS Number Control No. Control Name Security Control Baselines Low Moderate High CP-1 Contingency Planning Policy and Procedures CP-1 CP-1 CP-1 CP-2 Contingency Plan CP-2 CP-2 (1) CP-2 (1) (2) (3) CP-3 Contingency Training CP-3 CP-3 CP-3 (1) CP-4 Contingency Plan Testing and Exercise CP-4 CP-4 (1) CP-4 (1) (2) (4) CP-5 Contingency Plan Update (Withdrawn) ------ ----- ------ CP-6 Alternate Storage Site Not Selected CP-6 (1) (3) CP-6 (1) (2) (3) CP-7 Alternate Processing Site Not Selected CP-7 (1) (2) (3) (5) CP-7 (1) (2) (3) (4) (5) CP-8 Telecommunications Services Not Selected CP-8 (1) (2) CP-8 (1) (2) (3) (4) CP-9 Information System Backup CP-9 CP-9 (1) CP-9 (1) (2) (3) CP-10 Information System Recovery and Reconstitution CP-10 CP-10 (2) (3) CP-10 (2) (3) (4)
11 Testing, Training and Exercises Section is also more closely linked to other federal Standards and guidelines There is more clarity when defining testing, training and exercises (TTE). References are included for NIST SP 800-84 – Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities - http://csrc.nist.gov/publications/nistpubs/800-84/SP800-84.pdf TTE is also linked to FIPS 199 impact levels. – For low-impact systems, a yearly tabletop exercise is sufficient – For moderate-impact systems, a yearly functional exercise should be conducted – For high-impact systems, a yearly full-scale functional exercise should be conducted. Sample activities are presented to assist in development of effective TTE programs for systems. Filename/RPS Number
12 TTE programs and exercise types are defined to address requirements to NIST SP 800-53 Rev. 3 security control CP-4 NIST SP 800-53 Rev. 3 Contingency Planning (CP)-4 defines requirements for contingency plan test and exercise. A Tabletop Exercise is a “Discussion-based simulation of an emergency situation in an informal, stress-free environment; designed to elicit constructive scenario- based discussions for an examination of the existing ISCP and individual state of preparedness..” A Functional Exercise is a “Simulation of a disruption with a system recovery component such as backup tape restoration or server recovery.” A Full-Scale Functional Exercise is a “Simulation prompting a full recovery and reconstitution of the information system to a known state and ensures that staff are familiar with the alternate facility. “ Filename/RPS Number
13 The flow for steps performed during a contingency event have been revised in the ISCP development The flow has switched activation and notification steps in the assumption that an ISCP would not be considered for routine downtimes, but would be used for major issues. – The original SP 800-34 had notification followed by activation – This sometimes created confusion on how to follow a plan’s notification procedures without activating the plan itself. An organization should activate an ISCP to be able to follow the procedures for notifying assessment and recovery teams. – The first step after activating an ISCP is to notify the key stakeholders and to start assessing the disruption. Escalation and notification has been added to convey the need to continually provide updates and escalation problems as necessary for resolution. – Procedures have been added to keep upper management informed of the progress of recovery efforts and to escalate the recovery as needed to more specialized or trained personnel. Filename/RPS Number
14 While overall ISCP primary sections have been reduced, several sub sections have been added to Reconstitution and Deactivation Reconstitution and Deactivation are now a single primary section. Reconstitution has been reworked to include data validation and functionality testing, a declaration of the end of recovery efforts, and more details regarding deactivation. – Declaration of the end of recovery efforts is a key addition to the process. This step defines the return of the system to operational status, and stops the recovery effort clock, to determine if the RTO and RPO objectives have been met during the incident. – More work is required to have the organization ready for the next event. Deactivation now includes: Notification of the end of recovery and return to operations, cleanup of recovery documentation, returning backup data to offsite storage, performing a baseline data backup, and documenting the event, lessons learned, and updating the ISCP. – Deactivation of the ISCP after a contingency event and plan activation may take several days, weeks, or months to complete. The intent is to provide defined processes for an organization to ready itself and improve the ISCP. Filename/RPS Number
15 The Technical Considerations section has been updated to better reflect current trends and standards in common platforms Technical Considerations (Section 5) have been simplified to emphasize options for contingency planning for different types of platforms, rather than technologies, and with less emphasis in explaining the different types. – Section 5 now focus on three common platform types: Client/servers, Telecommunications systems, and Mainframes. – The old categories, including desktop computers, servers, web sites, local area networks, wide area networks and distributed systems have been consolidated into the three defined platform types. Older technologies and terminologies (Zip drives, 3.5” floppies, etc.) have been removed and more generic technologies incorporated to reduce obsolescence. Cloud computing is not included, as the technology is still emerging and not yet stabilized. Contingency Considerations and Contingency Solutions for each type of system are still included in the Technical Considerations. Filename/RPS Number
16 Appendices to NIST SP 800-34 have been expanded and include more ISCP templates There are now 3 templates, 1 each for low, moderate and high FIPS 199 impact levels. The templates also provide more instruction and explanation for filling out separate sections. The templates also include ISCP appendices appropriate to the system’s impact level that can provide complementary information to assist in recovery efforts. The sections in the templates have been rearranged to keep the main body of the ISCP focused on the steps required for recovery, with supplemental and supporting information put into ISCP Appendices. Templates now include suggested ISCP appendices. Filename/RPS Number
17 The appendices have been sorted to provide the more critical information needed up front, and background and supplemental information toward the back The Appendices are suggestions, and a planner may use none, some or all of them. Filename/RPS Number Suggested Appendices Appendix A – Personnel Contact List Appendix B – Vendor Contact List Appendix C – Detailed Recovery Procedures Appendix D – Alternate Processing Procedures Appendix E – System Validation Test Plan Appendix F – Alternate Storage, Site and Telecommunications* Appendix G – Diagrams (System and Input/Output) Appendix H - System Inventory Appendix I – Interconnections Table Appendix J – Test and Maintenance Schedule Appendix K – Associated Plans and Procedures Appendix L – Business Impact Analysis Appendix M – Document Change Page * Note that Appendix F is only required for Moderate and High impact systems, and is not included in the Low Impact template
18 Appendices within NIST SP 800-34 have been expanded and changed in Revision 1 An updated Business Impact Analysis template is provided in Appendix B. Appendix C is the Frequently Asked Questions section. Personnel Considerations in Continuity Planning (Appendix D) now includes the use of social networking as part of communications with personnel. – Since social networking is an evolving concept, guidance is geared more towards why to use it and what to be aware of rather than what tools to use. Appendix E has been added to provide the contingency planning (CP) controls from NIST SP 800-53, Rev. 3. Filename/RPS Number
19 The System Development Lifecycle (SDLC) has been moved from the main body of the guide to Appendix F SDLC steps are tied to SP 800-53 CP controls and FIPS 199 impact levels to clarify when to get contingency planning included in an SDLC effort. Very little in the SDLC has changed, other than tying CP controls into the process. This revision better integrates the three major areas of consideration (contingency planning, SDLC and controls). Filename/RPS Number
20 Conclusions NIST SP 800-34 Rev.1 is the first major update to a contingency planning guideline that is being used by all federal agencies, as well as many state and local agencies. The guide is also commonly used for contingency plan development within the private sector, and is the most downloaded NIST standard in their library. Revision 1 focuses more on systems recovery, and incorporates guidance and requirements from NIST SP 800-53, FIPS 199, and FCD-1 and 2. The flow for recovery has been redefined and expanded to provide guidance in all aspects of recovery after a disaster or contingency event. New templates have been provided, with more instruction and detail for the contingency planner to better develop effective ISCPs. Filename/RPS Number
21 Future NIST Activities NIST SP 800-39, Enterprise-wide Risk Management: Organization, Mission, and Information Systems View – Public Draft: June 2010 NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments – Public Draft: July 2010 NIST SP 800-53-A Rev.3, Guide for Assessing the Security Controls in Federal Information Systems and Organizations – Public Draft: June 2010 NIST SP 800-18 Rev.2, Guide for Developing Security Plans for Federal Information Systems and Organizations – Public Draft: October 2010 Questions?
22 For more information, Filename/RPS Number Marianne Swanson – Senior Advisor for Information System Security, National Institute of Standards and Technology – Address: 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930 – Work Phone: (301) 975-3293 – Email: marianne.swanson@nist.gov

Recommended

5757912.ppt
5757912.ppt5757912.ppt
5757912.pptMuhammad Mazhar
 
Ise viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionIse viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionVivek Maurya
 
PSY 636 Short Paper Guidelines and Rubric Assignment instructi.docx
PSY 636 Short Paper Guidelines and Rubric Assignment instructi.docxPSY 636 Short Paper Guidelines and Rubric Assignment instructi.docx
PSY 636 Short Paper Guidelines and Rubric Assignment instructi.docxpotmanandrea
 
NIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdfNIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdf>hey> whee hey
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information Systemnewbie2019
 
Implementation of NIST guidelines for the CISO / ISO / Privacy Officer
Implementation of NIST guidelines for the CISO / ISO / Privacy OfficerImplementation of NIST guidelines for the CISO / ISO / Privacy Officer
Implementation of NIST guidelines for the CISO / ISO / Privacy OfficerDavid Sweigert
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis PYA, P.C.
 

Recommended

5757912.ppt
5757912.ppt5757912.ppt
5757912.pptMuhammad Mazhar
 
Ise viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionIse viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionVivek Maurya
 
PSY 636 Short Paper Guidelines and Rubric Assignment instructi.docx
PSY 636 Short Paper Guidelines and Rubric Assignment instructi.docxPSY 636 Short Paper Guidelines and Rubric Assignment instructi.docx
PSY 636 Short Paper Guidelines and Rubric Assignment instructi.docxpotmanandrea
 
NIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdfNIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdf>hey> whee hey
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information Systemnewbie2019
 
Implementation of NIST guidelines for the CISO / ISO / Privacy Officer
Implementation of NIST guidelines for the CISO / ISO / Privacy OfficerImplementation of NIST guidelines for the CISO / ISO / Privacy Officer
Implementation of NIST guidelines for the CISO / ISO / Privacy OfficerDavid Sweigert
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis PYA, P.C.
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
Risk Based Approach To Recovery And Continuity Management John P Morency
Risk Based Approach To Recovery And Continuity Management John P MorencyRisk Based Approach To Recovery And Continuity Management John P Morency
Risk Based Approach To Recovery And Continuity Management John P Morencyjmorency1952
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHanaysha
 
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...Power System Operation
 
nist_vs_icd
nist_vs_icdnist_vs_icd
nist_vs_icdShashi Dabir
 
Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...Luxembourg Institute of Science and Technology
 
NIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NISTNIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NISTebonyman0007
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...padler01
 
Disaster Recovery Policy .docx
Disaster Recovery Policy .docxDisaster Recovery Policy .docx
Disaster Recovery Policy .docxCharliePhan
 
HCS 533 Education Organization - snaptutorial.com
HCS 533 Education Organization - snaptutorial.comHCS 533 Education Organization - snaptutorial.com
HCS 533 Education Organization - snaptutorial.comdonaldzs196
 
800-37.pptx
800-37.pptx800-37.pptx
800-37.pptxAvniJain836319
 
Disaster recovery & business continuity
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuityDhani Ahmad
 
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxshantayjewison
 
NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docxrobert345678
 
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...David Sweigert
 
White Paper Aaci Data Center Physical Security Mc Donald
White Paper Aaci Data Center Physical Security Mc DonaldWhite Paper Aaci Data Center Physical Security Mc Donald
White Paper Aaci Data Center Physical Security Mc DonaldJames McDonald
 
Hcs 533 Enhance teaching-snaptutorial.com
Hcs 533 Enhance teaching-snaptutorial.comHcs 533 Enhance teaching-snaptutorial.com
Hcs 533 Enhance teaching-snaptutorial.comrobertleew21
 
NOTE This sample template is provided to address NIST SP 800-53 s.docx
NOTE This sample template is provided to address NIST SP 800-53 s.docxNOTE This sample template is provided to address NIST SP 800-53 s.docx
NOTE This sample template is provided to address NIST SP 800-53 s.docxvannagoforth
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

More Related Content

Similar to NIST SP 800-34 Guide for IT Contingency Planning

NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
Risk Based Approach To Recovery And Continuity Management John P Morency
Risk Based Approach To Recovery And Continuity Management John P MorencyRisk Based Approach To Recovery And Continuity Management John P Morency
Risk Based Approach To Recovery And Continuity Management John P Morencyjmorency1952
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHanaysha
 
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...Power System Operation
 
NIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NISTNIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NISTebonyman0007
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...padler01
 
Disaster Recovery Policy .docx
Disaster Recovery Policy .docxDisaster Recovery Policy .docx
Disaster Recovery Policy .docxCharliePhan
 
HCS 533 Education Organization - snaptutorial.com
HCS 533 Education Organization - snaptutorial.comHCS 533 Education Organization - snaptutorial.com
HCS 533 Education Organization - snaptutorial.comdonaldzs196
 
Disaster recovery & business continuity
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuityDhani Ahmad
 
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxshantayjewison
 
NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docxrobert345678
 
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...David Sweigert
 
White Paper Aaci Data Center Physical Security Mc Donald
White Paper Aaci Data Center Physical Security Mc DonaldWhite Paper Aaci Data Center Physical Security Mc Donald
White Paper Aaci Data Center Physical Security Mc DonaldJames McDonald
 
Hcs 533 Enhance teaching-snaptutorial.com
Hcs 533 Enhance teaching-snaptutorial.comHcs 533 Enhance teaching-snaptutorial.com
Hcs 533 Enhance teaching-snaptutorial.comrobertleew21
 
NOTE This sample template is provided to address NIST SP 800-53 s.docx
NOTE This sample template is provided to address NIST SP 800-53 s.docxNOTE This sample template is provided to address NIST SP 800-53 s.docx
NOTE This sample template is provided to address NIST SP 800-53 s.docxvannagoforth
 

Similar to NIST SP 800-34 Guide for IT Contingency Planning (20)

NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
 
Risk Based Approach To Recovery And Continuity Management John P Morency
Risk Based Approach To Recovery And Continuity Management John P MorencyRisk Based Approach To Recovery And Continuity Management John P Morency
Risk Based Approach To Recovery And Continuity Management John P Morency
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq Hanaysha
 
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
 
nist_vs_icd
nist_vs_icdnist_vs_icd
nist_vs_icd
 
Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...
 
NIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NISTNIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NIST
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
 
Disaster Recovery Policy .docx
Disaster Recovery Policy .docxDisaster Recovery Policy .docx
Disaster Recovery Policy .docx
 
HCS 533 Education Organization - snaptutorial.com
HCS 533 Education Organization - snaptutorial.comHCS 533 Education Organization - snaptutorial.com
HCS 533 Education Organization - snaptutorial.com
 
800-37.pptx
800-37.pptx800-37.pptx
800-37.pptx
 
Disaster recovery & business continuity
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuity
 
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
 
NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx
 
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
 
White Paper Aaci Data Center Physical Security Mc Donald
White Paper Aaci Data Center Physical Security Mc DonaldWhite Paper Aaci Data Center Physical Security Mc Donald
White Paper Aaci Data Center Physical Security Mc Donald
 
Hcs 533 Enhance teaching-snaptutorial.com
Hcs 533 Enhance teaching-snaptutorial.comHcs 533 Enhance teaching-snaptutorial.com
Hcs 533 Enhance teaching-snaptutorial.com
 
NOTE This sample template is provided to address NIST SP 800-53 s.docx
NOTE This sample template is provided to address NIST SP 800-53 s.docxNOTE This sample template is provided to address NIST SP 800-53 s.docx
NOTE This sample template is provided to address NIST SP 800-53 s.docx
 

Recently uploaded

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 

Recently uploaded (20)

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 

NIST SP 800-34 Guide for IT Contingency Planning

  • 1. Marianne Swanson NIST SP 800-34, Revision 1 – Contingency Planning Guide for Federal Information Systems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
  • 2. 1 Filename/RPS Number Table Of Contents –Introduction to NIST SP 800-34 –Summary of Changes in NIST SP 800-34 Revision 1 –NIST Future Plans –Questions
  • 3. 2 Filename/RPS Number Introduction to NIST SP 800-34 National Institute of Standards and Technology (NIST) is responsible for “developing standards and guidelines for providing adequate information security for all agency operations and assets”. NIST has a series of Special Publications (SP) and Federal Information Processing Standards (FIPS) that provide federal agencies with standards and guidelines for most aspects of information systems security. – NIST security Publications can be found at: http://csrc.nist.gov/publications/index.html NIST SP 800-34 – Contingency Planning Guide for Information Technology (IT) Systems -was first published in June 2002, and provides instructions, recommendations, and considerations for government IT contingency planning. Contingency Planning refers to interim measures to recover IT services following an emergency or system disruption. While designed for federal systems, NIST SP 800-34 has been used as the guideline for contingency planning throughout much of the private sector.
  • 4. 3 Need for the Revision to NIST SP 800-34 Aligns NIST SP 800-53 Rev. 3, contingency planning security controls (CP-family). – FIPS 199 impact levels – Annual testing for FIPS 199 low impact systems Incorporates contingency planning into the six phases of the Risk Management Framework.
  • 5. 4 Overall Changes to NIST SP 800-34 Filename/RPS Number Revision 1 covers three common types of platforms, making the scope more inclusive (Client/servers, Telecommunications systems, and Mainframes). There is a bigger focus on the Information System Contingency Plan (ISCP) as it relates to the differing levels of FIPS 199 impact levels. General Support Systems (GSS) and Major Applications (MA) categories have been removed. Introduces the concept of resiliency and shows how ISCP fits into an organization’s resiliency effort. Works to more clearly define the different types of plans included in resiliency, continuity and contingency planning. Throughout the guide, call out boxes clarify the specific differences and relationships between COOP and ISCP.
  • 6. 5 Resiliency is a concept that is gaining widespread acceptance in the continuity and contingency planning Department of Homeland Security (DHS) defines resiliency as the “ability to resist, absorb, recover from or successfully adapt to adversity or a change in conditions”. Resiliency is not a process, but rather an end-state for organizations. Resilient organizations continually work to adapt to changes and risks that can affect their ability to continue critical functions. An effective resiliency program includes risk management, contingency and continuity planning, and other security and emergency management activities. Filename/RPS Number The Goal of A Resilient Organization Continue Mission Essential Functions at All Times During Any Type of Disruption
  • 7. 6 NIST SP 800-34 Revision 1 provides more clarity to the role and function of various contingency and continuity plans Plan Purpose Scope Plan Relationship Business Continuity Plan (BCP) Provides procedures for sustaining business operations while recovering from a significant disruption. Addresses business processes at a lower or expanded level from COOP mission essential functions Mission/business process focused plan that may be activated in coordination with a COOP plan to sustain non- mission essential functions . Continuity of Operations (COOP) Plan Provides procedures and guidance to sustain an organization’s mission essential functions at an alternate site for up to 30 days; mandated by federal directives. Addresses the mission essential functions; facility- based plan; information systems are addressed based only on their support to the mission essential functions. Mission essential function focused plan that may also activate several business unit- level BCPs, ISCPs, or DRPs, as appropriate. Crisis Communications Plan Provides procedures for disseminating internal and external communications; means to provide critical status information and control rumors. Addresses communications with personnel and the public; not information system focused. Incident-based plan often activated with a COOP or BCP, but may be used alone during a public exposure event. Critical Infrastructure Protection (CIP) Plan Provides policies and procedures for protection of national critical infrastructure components, as defined in the National Infrastructure Protection Plan. Addresses critical infrastructure components that are supported or operated by an agency or organization. Risk management plan that supports COOP plans for organizations with CI/KR assets. Filename/RPS Number
  • 8. 7 NIST SP 800-34 Revision 1 provides more clarity to the role and function of various contingency and continuity plans Plan Purpose Scope Plan Relationship Cyber Incident Response Plan Provides procedures for mitigating and correcting a system cyber attack, such as a virus, worm, or Trojan horse. Addresses mitigation and isolation of affected systems, cleanup, and minimizing loss of information. Information system focused plan that may activate an ISCP or DRP, depending on the extent of the attack. Disaster Recovery Plan (DRP) Provides procedures for relocating information systems operations to an alternate location. Activated after major system disruptions with long-term effects. Information system focused plan that activates one or more ISCPs for recovery of individual systems.. Information System Contingency Plan (ISCP) Provides procedures and capabilities for recovering an information system. Location-independent plan that focuses on the procedures needed to recovery a system at the current or an alternate location. Information system focused plan that may be activated independent from other plans or as part of a larger recovery effort coordinated with a DRP, COOP, and/or BCP. Occupant Emergency Plan (OEP) Provides coordinated procedures for minimizing loss of life or injury and protecting property damage in response to a physical threat. Focuses on personnel and property particular to the specific facility; not business process or information system-based. Incident-based plan that is initiated immediately after an event, preceding a COOP or DRP activation. Filename/RPS Number
  • 9. 8 A new graphic has been developed to better convey the relationships of the different types of plans to the organization Filename/RPS Number
  • 10. 9 The Business Impact Analysis (BIA) was revised to more closely tie to Federal standards and guidelines The process for the BIA has been revised to closely tie to FIPS 199 impact levels and NIST SP 800-53 Rev. 3 Contingency Planning (CP) controls. – The BIA process now takes into consideration that impact levels are determined as part of the security categorization process. – Federal Information Processing Standard (FIPS 199) - http://csrc.nist.gov/publications/fips/fips199/FIPS- PUB-199-final.pdf The term Maximum Tolerable Downtime (MTD) is defined and discussed in relation to Recovery Time Objective (RTO) and Recovery Point Objective (RPO). The BIA discussion addresses the differences between BIAs required for systems and those required by Federal Continuity Directives (FCD) -1 and 2 for Continuity of Operations (COOP) Mission Essential Functions (MEF). Filename/RPS Number
  • 11. 10 NIST SP 800-53 – Recommended Security Controls for Federal Information Systems and Organizations define 9 CP controls Filename/RPS Number Control No. Control Name Security Control Baselines Low Moderate High CP-1 Contingency Planning Policy and Procedures CP-1 CP-1 CP-1 CP-2 Contingency Plan CP-2 CP-2 (1) CP-2 (1) (2) (3) CP-3 Contingency Training CP-3 CP-3 CP-3 (1) CP-4 Contingency Plan Testing and Exercise CP-4 CP-4 (1) CP-4 (1) (2) (4) CP-5 Contingency Plan Update (Withdrawn) ------ ----- ------ CP-6 Alternate Storage Site Not Selected CP-6 (1) (3) CP-6 (1) (2) (3) CP-7 Alternate Processing Site Not Selected CP-7 (1) (2) (3) (5) CP-7 (1) (2) (3) (4) (5) CP-8 Telecommunications Services Not Selected CP-8 (1) (2) CP-8 (1) (2) (3) (4) CP-9 Information System Backup CP-9 CP-9 (1) CP-9 (1) (2) (3) CP-10 Information System Recovery and Reconstitution CP-10 CP-10 (2) (3) CP-10 (2) (3) (4)
  • 12. 11 Testing, Training and Exercises Section is also more closely linked to other federal Standards and guidelines There is more clarity when defining testing, training and exercises (TTE). References are included for NIST SP 800-84 – Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities - http://csrc.nist.gov/publications/nistpubs/800-84/SP800-84.pdf TTE is also linked to FIPS 199 impact levels. – For low-impact systems, a yearly tabletop exercise is sufficient – For moderate-impact systems, a yearly functional exercise should be conducted – For high-impact systems, a yearly full-scale functional exercise should be conducted. Sample activities are presented to assist in development of effective TTE programs for systems. Filename/RPS Number
  • 13. 12 TTE programs and exercise types are defined to address requirements to NIST SP 800-53 Rev. 3 security control CP-4 NIST SP 800-53 Rev. 3 Contingency Planning (CP)-4 defines requirements for contingency plan test and exercise. A Tabletop Exercise is a “Discussion-based simulation of an emergency situation in an informal, stress-free environment; designed to elicit constructive scenario- based discussions for an examination of the existing ISCP and individual state of preparedness..” A Functional Exercise is a “Simulation of a disruption with a system recovery component such as backup tape restoration or server recovery.” A Full-Scale Functional Exercise is a “Simulation prompting a full recovery and reconstitution of the information system to a known state and ensures that staff are familiar with the alternate facility. “ Filename/RPS Number
  • 14. 13 The flow for steps performed during a contingency event have been revised in the ISCP development The flow has switched activation and notification steps in the assumption that an ISCP would not be considered for routine downtimes, but would be used for major issues. – The original SP 800-34 had notification followed by activation – This sometimes created confusion on how to follow a plan’s notification procedures without activating the plan itself. An organization should activate an ISCP to be able to follow the procedures for notifying assessment and recovery teams. – The first step after activating an ISCP is to notify the key stakeholders and to start assessing the disruption. Escalation and notification has been added to convey the need to continually provide updates and escalation problems as necessary for resolution. – Procedures have been added to keep upper management informed of the progress of recovery efforts and to escalate the recovery as needed to more specialized or trained personnel. Filename/RPS Number
  • 15. 14 While overall ISCP primary sections have been reduced, several sub sections have been added to Reconstitution and Deactivation Reconstitution and Deactivation are now a single primary section. Reconstitution has been reworked to include data validation and functionality testing, a declaration of the end of recovery efforts, and more details regarding deactivation. – Declaration of the end of recovery efforts is a key addition to the process. This step defines the return of the system to operational status, and stops the recovery effort clock, to determine if the RTO and RPO objectives have been met during the incident. – More work is required to have the organization ready for the next event. Deactivation now includes: Notification of the end of recovery and return to operations, cleanup of recovery documentation, returning backup data to offsite storage, performing a baseline data backup, and documenting the event, lessons learned, and updating the ISCP. – Deactivation of the ISCP after a contingency event and plan activation may take several days, weeks, or months to complete. The intent is to provide defined processes for an organization to ready itself and improve the ISCP. Filename/RPS Number
  • 16. 15 The Technical Considerations section has been updated to better reflect current trends and standards in common platforms Technical Considerations (Section 5) have been simplified to emphasize options for contingency planning for different types of platforms, rather than technologies, and with less emphasis in explaining the different types. – Section 5 now focus on three common platform types: Client/servers, Telecommunications systems, and Mainframes. – The old categories, including desktop computers, servers, web sites, local area networks, wide area networks and distributed systems have been consolidated into the three defined platform types. Older technologies and terminologies (Zip drives, 3.5” floppies, etc.) have been removed and more generic technologies incorporated to reduce obsolescence. Cloud computing is not included, as the technology is still emerging and not yet stabilized. Contingency Considerations and Contingency Solutions for each type of system are still included in the Technical Considerations. Filename/RPS Number
  • 17. 16 Appendices to NIST SP 800-34 have been expanded and include more ISCP templates There are now 3 templates, 1 each for low, moderate and high FIPS 199 impact levels. The templates also provide more instruction and explanation for filling out separate sections. The templates also include ISCP appendices appropriate to the system’s impact level that can provide complementary information to assist in recovery efforts. The sections in the templates have been rearranged to keep the main body of the ISCP focused on the steps required for recovery, with supplemental and supporting information put into ISCP Appendices. Templates now include suggested ISCP appendices. Filename/RPS Number
  • 18. 17 The appendices have been sorted to provide the more critical information needed up front, and background and supplemental information toward the back The Appendices are suggestions, and a planner may use none, some or all of them. Filename/RPS Number Suggested Appendices Appendix A – Personnel Contact List Appendix B – Vendor Contact List Appendix C – Detailed Recovery Procedures Appendix D – Alternate Processing Procedures Appendix E – System Validation Test Plan Appendix F – Alternate Storage, Site and Telecommunications* Appendix G – Diagrams (System and Input/Output) Appendix H - System Inventory Appendix I – Interconnections Table Appendix J – Test and Maintenance Schedule Appendix K – Associated Plans and Procedures Appendix L – Business Impact Analysis Appendix M – Document Change Page * Note that Appendix F is only required for Moderate and High impact systems, and is not included in the Low Impact template
  • 19. 18 Appendices within NIST SP 800-34 have been expanded and changed in Revision 1 An updated Business Impact Analysis template is provided in Appendix B. Appendix C is the Frequently Asked Questions section. Personnel Considerations in Continuity Planning (Appendix D) now includes the use of social networking as part of communications with personnel. – Since social networking is an evolving concept, guidance is geared more towards why to use it and what to be aware of rather than what tools to use. Appendix E has been added to provide the contingency planning (CP) controls from NIST SP 800-53, Rev. 3. Filename/RPS Number
  • 20. 19 The System Development Lifecycle (SDLC) has been moved from the main body of the guide to Appendix F SDLC steps are tied to SP 800-53 CP controls and FIPS 199 impact levels to clarify when to get contingency planning included in an SDLC effort. Very little in the SDLC has changed, other than tying CP controls into the process. This revision better integrates the three major areas of consideration (contingency planning, SDLC and controls). Filename/RPS Number
  • 21. 20 Conclusions NIST SP 800-34 Rev.1 is the first major update to a contingency planning guideline that is being used by all federal agencies, as well as many state and local agencies. The guide is also commonly used for contingency plan development within the private sector, and is the most downloaded NIST standard in their library. Revision 1 focuses more on systems recovery, and incorporates guidance and requirements from NIST SP 800-53, FIPS 199, and FCD-1 and 2. The flow for recovery has been redefined and expanded to provide guidance in all aspects of recovery after a disaster or contingency event. New templates have been provided, with more instruction and detail for the contingency planner to better develop effective ISCPs. Filename/RPS Number
  • 22. 21 Future NIST Activities NIST SP 800-39, Enterprise-wide Risk Management: Organization, Mission, and Information Systems View – Public Draft: June 2010 NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments – Public Draft: July 2010 NIST SP 800-53-A Rev.3, Guide for Assessing the Security Controls in Federal Information Systems and Organizations – Public Draft: June 2010 NIST SP 800-18 Rev.2, Guide for Developing Security Plans for Federal Information Systems and Organizations – Public Draft: October 2010 Questions?
  • 23. 22 For more information, Filename/RPS Number Marianne Swanson – Senior Advisor for Information System Security, National Institute of Standards and Technology – Address: 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930 – Work Phone: (301) 975-3293 – Email: marianne.swanson@nist.gov