CP-3 Contingency Training
Control
a.
Provide contingency training to system users consistent with assigned roles and responsibilities:
1.
Within [*See Additional Requirements] of assuming a contingency role or responsibility;
2.
When required by system changes; and
3.
[at least annually] thereafter; and
b.
Review and update contingency training content [at least annually] and following [Assignment: organization-defined events].
(a) Requirement:
Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact.
Discussion
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements.
FedRAMP-Defined Assignment / Selection Parameters
- CP-3 (a)(1) [\*See Additional Requirements] - the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;
- CP-3 (a)(3) [at least annually] - frequency at which to provide training to system users with a contingency role or responsibility is defined;
- CP-3 (b) [at least annually] - frequency at which to review and update contingency training content is defined;