National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

NIST Special Publication 800-53 (Rev. 4)

Security and Privacy Controls for Federal Information Systems and Organizations

CP-8 TELECOMMUNICATIONS SERVICES

Family:
CP - CONTINGENCY PLANNING
Class:
Priority:
P1 - Implement P1 security controls first.
Baseline Allocation:
Low Moderate High
N/A CP-8 (1) (2) CP-8 (1) (2) (3) (4)

Control Description

The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

Supplemental Guidance

This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.

Related to: CP-2CP-6CP-7

Control Enhancements

CP-8(1) TELECOMMUNICATIONS SERVICES | PRIORITY OF SERVICE PROVISIONS
The organization:
CP-8 (1)(a)
Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and
CP-8 (1)(b)
Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.
Supplemental Guidance: Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions.
CP-8(2) TELECOMMUNICATIONS SERVICES | SINGLE POINTS OF FAILURE
The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.
CP-8(3) TELECOMMUNICATIONS SERVICES | SEPARATION OF PRIMARY / ALTERNATE PROVIDERS
The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.
Supplemental Guidance: Threats that affect telecommunications services are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber/physical attacks, and errors of omission/commission. Organizations seek to reduce common susceptibilities by, for example, minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services meeting the separation needs addressed in the risk assessment.
CP-8(4) TELECOMMUNICATIONS SERVICES | PROVIDER CONTINGENCY PLAN
The organization:
CP-8 (4)(a)
Requires primary and alternate telecommunications service providers to have contingency plans;
CP-8 (4)(b)
Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
CP-8 (4)(c)
Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency].
Supplemental Guidance: Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training.
CP-8(5) TELECOMMUNICATIONS SERVICES | ALTERNATE TELECOMMUNICATION SERVICE TESTING
The organization tests alternate telecommunication services [Assignment: organization-defined frequency].

References

NIST Special Publication 800-34 https://csrc.nist.gov/publications/search?keywords-lg=800-34
National Communications Systems Directive 3-10
http://www.dhs.gov/telecommunications-service-priority-tsp http://www.dhs.gov/telecommunications-service-priority-tsp