>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

CP-8 (04)Telecommunications Services | Provider Contingency Plan

High

>Control Description

(a) Require primary and alternate telecommunications service providers to have contingency plans; (b) Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and (c) Obtain evidence of contingency testing and training by providers organization-defined frequency.

>FedRAMP Baseline Requirements

Parameter Values

>Discussion

Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security and state and local governments.

Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CP-8(4) (Provider Contingency Plan)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CP-8(4)?
  • How frequently is the CP-8(4) policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures CP-8(4) requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CP-8(4) requirements.
  • What automated tools, systems, or technologies are deployed to implement CP-8(4)?
  • How is CP-8(4) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CP-8(4) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CP-8(4)?
  • What audit logs, records, reports, or monitoring data validate CP-8(4) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CP-8(4) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CP-8(4) compliance?

Ask AI

Configure your API key to use AI features.