FedRAMP Control Explorer

Controls

Access Control

Assessment, Authorization, and Monitoring

Audit and Accountability

Awareness and Training

Configuration Management

Contingency Planning

Identification and Authentication

Incident Response

Maintenance

Media Protection

Personnel Security

Physical and Environmental Protection

Planning

Risk Assessment

Supply Chain Risk Management

System and Communications Protection

System and Information Integrity

System and Services Acquisition

CP-4 Contingency Plan Testing

Control

Test the contingency plan for the system [at least every 3 years] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [classroom exercise/table top written tests].

Review the contingency plan test results; and

Initiate corrective actions, if needed.

Discussion

Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

FedRAMP-Defined Assignment / Selection Parameters

CP-4 (a) [at least every 3 years] - frequency of testing the contingency plan for the system is defined;
CP-4 (a) [classroom exercise/table top written tests] -