>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

CP-4Contingency Plan Testing

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Test the contingency plan for the system organization-defined frequency using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: organization-defined tests.

b

Review the contingency plan test results; and

c

Initiate corrective actions, if needed.

>DoD Impact Level Requirements

FedRAMP Parameter Values

CP-4 (a)-1 [at least annually] CP-4 (a)-2 [functional exercises]

Additional Requirements and Guidance

CP-4 (a) Requirement: The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing. CP-4 (b) Requirement: The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report).

>Discussion

Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

>Programmatic Queries

Beta

Related Services

AWS Elastic Disaster Recovery
AWS Fault Injection Service
AWS Resilience Hub

CLI Commands

Initiate DR failover test drill
aws drs start-recovery --source-servers '[{"sourceServerID":"SERVER_ID"}]' --is-drill true
List FIS experiment templates for chaos testing
aws fis list-experiment-templates
Start a fault injection experiment
aws fis start-experiment --experiment-template-id TEMPLATE_ID
Run Resilience Hub assessment
aws resiliencehub start-app-assessment --app-arn APP_ARN --assessment-name cp4-test --app-version release
Open AWS ConsoleDocumentation

>Related Controls

AT-3
CP-2
CP-3
CP-8
CP-9
IR-3
IR-4
PL-2
PM-14
SR-2

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CP-4 (Contingency Plan Testing)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CP-4?
  • How frequently is the CP-4 policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures CP-4 requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CP-4 requirements.
  • What automated tools, systems, or technologies are deployed to implement CP-4?
  • How is CP-4 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CP-4 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CP-4?
  • What audit logs, records, reports, or monitoring data validate CP-4 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CP-4 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CP-4 compliance?

Ask AI

Configure your API key to use AI features.