NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
Marianne Swanson
Pauline Bowen
Amy Wohl Phillips
Dean Gallup
David Lynes
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
Marianne Swanson
Pauline Bowen
Amy Wohl Phillips
Dean Gallup
David Lynes
May 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
Certain commercial entities, equipment, or materials may be identified in this document in
order to describe an experimental procedure or concept adequately. Such identification is not
intended to imply recommendation or endorsement by the National Institute of Standards and
Technology, nor is it intended to imply that the entities, materials, or equipment are
necessarily the best available for the purpose.
There are references in this publication to documents currently under development by NIST in
accordance with responsibilities assigned to NIST under the Federal Information Security
Management Act of 2002. The methodologies in this document may be used even before the
completion of such companion documents. Thus, until such time as each document is
completed, current requirements, guidelines, and procedures (where they exist) remain
operative. For planning and transition purposes, federal agencies may wish to closely follow
the development of these new documents by NIST. Individuals are also encouraged to review
the public draft documents and offer their comments to NIST.
All NIST documents mentioned in this publication, other than the ones noted above, are
available at http://csrc.nist.gov/publications.
National Institute of Standards and Technology Special Publication 800-34
Natl. Inst. Stand. Technol. Spec. Publ. 800-34, 150 pages (May 2010)
CODEN: NSPUE2
http://csrc.nist.gov/publications
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analysis to advance the development and productive use of
information technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in federal computer systems. This Special Publication 800-series
reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative
activities with industry, government, and academic organizations..
NIST Special Publication 800-34 Rev. 1 Contingency.docx
1. NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
Marianne Swanson
Pauline Bowen
Amy Wohl Phillips
Dean Gallup
David Lynes
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
Marianne Swanson
Pauline Bowen
Amy Wohl Phillips
2. Dean Gallup
David Lynes
May 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
Certain commercial entities, equipment, or materials may be
identified in this document in
order to describe an experimental procedure or concept
adequately. Such identification is not
intended to imply recommendation or endorsement by the
National Institute of Standards and
Technology, nor is it intended to imply that the entities,
materials, or equipment are
necessarily the best available for the purpose.
There are references in this publication to documents currently
under development by NIST in
accordance with responsibilities assigned to NIST under the
3. Federal Information Security
Management Act of 2002. The methodologies in this document
may be used even before the
completion of such companion documents. Thus, until such
time as each document is
completed, current requirements, guidelines, and procedures
(where they exist) remain
operative. For planning and transition purposes, federal
agencies may wish to closely follow
the development of these new documents by NIST. Individuals
are also encouraged to review
the public draft documents and offer their comments to NIST.
All NIST documents mentioned in this publication, other than
the ones noted above, are
available at http://csrc.nist.gov/publications.
National Institute of Standards and Technology Special
Publication 800-34
Natl. Inst. Stand. Technol. Spec. Publ. 800-34, 150 pages (May
2010)
CODEN: NSPUE2
http://csrc.nist.gov/publications
CONTINGENCY PLANNING GUIDE FOR FEDERAL
INFORMATION SYSTEMS
4. Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National
Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by
providing technical leadership for the nation’s
measurement and standards infrastructure. ITL develops tests,
test methods, reference data, proof of
concept implementations, and technical analysis to advance the
development and productive use of
information technology. ITL’s responsibilities include the
development of technical, physical,
administrative, and management standards and guidelines for
the cost-effective security and privacy of
sensitive unclassified information in federal computer systems.
This Special Publication 800-series
reports on ITL’s research, guidance, and outreach efforts in
computer security and its collaborative
activities with industry, government, and academic
organizations.
ii
CONTINGENCY PLANNING GUIDE FOR FEDERAL
INFORMATION SYSTEMS
5. Authority
This document has been developed by the National Institute of
Standards and Technology (NIST) in
furtherance of its statutory responsibilities under the Federal
Information Security Management Act
(FISMA) of 2002, Public Law 107-347.
NIST is responsible for developing standards and guidelines,
including minimum requirements, for
providing adequate information security for all agency
operations and assets, but such standards and
guidelines shall not apply to national security systems. This
guideline is consistent with the requirements
of the Office of Management and Budget (OMB) Circular A-
130, Section 8b(3), “Securing Agency
Information Systems,” as analyzed in A-130, Appendix IV:
Analysis of Key Sections. Supplemental
information is provided in A-130, Appendix III.
This guideline has been prepared for use by federal agencies. It
may be used by nongovernmental
organizations on a voluntary basis and is not subject to
copyright. Attribution would be appreciated by
NIST.
Nothing in this document should be taken to contradict
standards and guidelines made mandatory and
binding on federal agencies by the Secretary of Commerce
under statutory authority. Nor should these
guidelines be interpreted as altering or superseding the existing
authorities of the Secretary of Commerce,
Director of the OMB, or any other federal official.
6. NIST Special Publication 800-34, Revision 1, 150 pages
(May 2010)
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology
Laboratory
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-
8930
iii
CONTINGENCY PLANNING GUIDE FOR FEDERAL
INFORMATION SYSTEMS
Compliance with NIST Standards and Guidelines
NIST develops and issues standards, guidelines, and other
publications to assist federal agencies in
implementing the Federal Information Security Management Act
(FISMA) of 2002 and in managing cost-
effective programs to protect their information and information
systems.
• Federal Information Processing Standards (FIPS) are
developed by NIST in accordance with
FISMA. FIPS are approved by the Secretary of Commerce and
7. are compulsory and binding for
federal agencies. Since FISMA requires that federal agencies
comply with these standards,
agencies may not waive their use.
• Guidance documents and recommendations are issued in the
NIST Special Publication (SP) 800-
series. Office of Management and Budget (OMB) policies
(including OMB FISMA Reporting
Instructions for the Federal Information Security Management
Act and Agency Privacy
Management) state that, for other than national security
programs and systems, agencies must
follow NIST guidance.1
• Other security-related publications, including NIST
interagency and internal reports (NISTIRs)
and ITL Bulletins, provide technical and other information
about NIST’s activities. These
publications are mandatory only when so specified by OMB.
1 While agencies are required to follow NIST guidance in
accordance with OMB policy, there is flexibility within NIST’s
guidance in how agencies apply the guidance. Unless otherwise
specified by OMB, the 800-series guidance documents
published by NIST generally allow agencies some latitude in the
application. Consequently, the application of NIST guidance
by agencies can result in different security solutions that are
equally acceptable, compliant with the guidance, and meet the
8. OMB definition of adequate security for federal information
systems. When assessing federal agency compliance with NIST
guidance, auditors, evaluators, and assessors should consider
the intent of the security concepts and principles articulated
within the particular guidance document and how the agency
applied the guidance in the context of its specific mission
responsibilities, operational environments, and unique
organizational conditions.
iv
CONTINGENCY PLANNING GUIDE FOR FEDERAL
INFORMATION SYSTEMS
Acknowledgements
The authors, Marianne Swanson and Pauline Bowen of the
National Institute of Standards and
Technology (NIST), Amy Wohl Phillips, Dean Gallup, and
David Lynes of Booz Allen Hamilton, wish to
thank their colleagues who reviewed drafts of this document and
contributed to its technical content. The
authors would like to acknowledge Kelley Dempsey, Esther
Katzman, Peter Mell, Murugiah Souppaya,
Lee Badger, and Elizabeth Lennon of NIST, and David
Linthicum of Booz Allen Hamilton for their keen
and insightful assistance with technical issues throughout the
development of the document.
v
9. CONTINGENCY PLANNING GUIDE FOR FEDERAL
INFORMATION SYSTEMS
Table of Contents
Executive Summary
...............................................................................................
..................... 1
Chapter 1. Introduction
...............................................................................................
..... 1
1.1
Purpose...................................................................................
.................................... 1
1.2 Scope
...............................................................................................
........................... 2
1.3 Audience
...............................................................................................
...................... 3
1.4 Document Structure
...............................................................................................
..... 4
Chapter 2. Background
...............................................................................................
..... 5
2.1 Contingency Planning and Resilience
........................................................................ 5
2.2 Types of Plans
...............................................................................................
............. 7
10. 2.2.1 Business Continuity Plan (BCP)
...................................................................... 8
2.2.2 Continuity of Operations (COOP) Plan
............................................................ 8
2.2.3 Crisis Communications
Plan............................................................................ 9
2.2.4 Critical Infrastructure Protection (CIP)
Plan..................................................... 9
2.2.5 Cyber Incident Response Plan
...................................................................... 10
2.2.6 Disaster Recovery Plan (DRP)
...................................................................... 10
2.2.7 Information System Contingency Plan
(ISCP)............................................... 10
2.2.8 Occupant Emergency Plan (OEP)
................................................................. 10
Chapter 3. Information System Contingency Planning
Process................................ 13
3.1 Develop the Contingency Planning Policy Statement
............................................... 14
3.2 Conduct the Business Impact Analysis
(BIA)............................................................ 15
3.2.1 Determine Business Processes and Recovery Criticality
.............................. 16
3.2.2 Identify Resource Requirements
................................................................... 19
3.2.3 Identify System Resource Recovery Priorities
.............................................. 19
3.3 Identify Preventive Controls
...................................................................................... 19
3.4 Create Contingency Strategies
................................................................................. 20
11. 3.4.1 Backup and Recovery
................................................................................... 20
3.4.2 Backup Methods and Offsite Storage
............................................................ 21
3.4.3 Alternate Sites
...............................................................................................
21
3.4.4 Equipment Replacement
............................................................................... 24
3.4.5 Cost Considerations
...................................................................................... 25
3.4.6 Roles and Responsibilities
............................................................................ 26
3.5 Plan Testing, Training, and Exercises (TT&E)
.......................................................... 27
3.5.1
Testing....................................................................................
....................... 27
3.5.2
Training..................................................................................
........................ 28
3.5.3 Exercises
...............................................................................................
........ 29
3.5.4 TT&E Program Summary
.............................................................................. 29
3.6 Plan Maintenance
...............................................................................................
...... 31
Chapter 4. Information System Contingency Plan
Development............................... 34
4.1 Supporting
12. Information.............................................................................
................. 35
4.2 Activation and Notification Phase
............................................................................. 36
4.2.1 Activation Criteria and Procedure
.................................................................. 36
4.2.2 Notification Procedures
................................................................................. 36
4.2.3 Outage Assessment
...................................................................................... 38
4.3 Recovery
Phase......................................................................................
.................. 39
4.3.1 Sequence of Recovery Activities
................................................................... 39
vi
Mirco Escobedo
Highlight
Mirco Escobedo
Highlight
CONTINGENCY PLANNING GUIDE FOR FEDERAL
INFORMATION SYSTEMS
4.3.2 Recovery Procedures
.................................................................................... 39
4.3.3 Recovery Escalation and Notification
............................................................ 40
13. 4.4 Reconstitution Phase
...............................................................................................
. 41
4.5 Plan Appendices
...............................................................................................
........ 42
Chapter 5. Technical Contingency Planning
Considerations..................................... 43
5.1 Common Considerations
..........................................................................................
43
5.1.1 Use of the BIA
......................................................................................... ......
44
5.1.2 Maintenance of Data Security, Integrity, and
Backup.................................... 44
5.1.3 Protection of Resources
................................................................................ 46
5.1.4 Adherence to Security Controls
..................................................................... 46
5.1.5 Identification of Alternate Storage and Processing
Facilities......................... 46
5.1.6 Use of High Availability (HA)
Processes........................................................ 48
5.2 Client/Server Systems
..............................................................................................
48
5.2.1 Client/Server Systems Contingency Considerations
..................................... 49
5.2.2 Client/Server Systems Contingency
14. Solution
s .............................................. 51
5.3 Telecommunications Systems
.................................................................................. 52
5.3.1 Telecommunications Contingency
Considerations........................................ 53
5.3.2 Telecommunications Contingency