CP-3—Contingency Training
>Control Description
Provide contingency training to system users consistent with assigned roles and responsibilities:
Within ⚙organization-defined time period of assuming a contingency role or responsibility;
When required by system changes; and
⚙organization-defined frequency thereafter; and
Review and update contingency training content ⚙organization-defined frequency and following ⚙organization-defined events.
>DoD Impact Level Requirements
FedRAMP Parameter Values
CP-3 (a) (1) [*See Additional Requirements] CP-3 (a) (3) [at least annually] CP-3 (b) [at least annually]
Additional Requirements and Guidance
CP-3 (a) Requirement: Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact.
>Discussion
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan.
Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements.
>Programmatic Queries
Related Services
CLI Commands
aws resiliencehub list-appsaws resiliencehub list-resiliency-policiesaws ssm list-documents --filters Key=DocumentType,Values=Automation Key=Owner,Values=Selfaws ssm describe-document --name DOCUMENT_NAME>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of CP-3 (Contingency Training)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring CP-3?
- •How frequently is the CP-3 policy reviewed and updated, and what triggers policy changes?
- •What governance structure ensures CP-3 requirements are consistently applied across all systems?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce CP-3 requirements.
- •What automated tools, systems, or technologies are deployed to implement CP-3?
- •How is CP-3 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce CP-3 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of CP-3?
- •What audit logs, records, reports, or monitoring data validate CP-3 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of CP-3 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate CP-3 compliance?
Ask AI
Configure your API key to use AI features.