Configuration management policy defines controls to ensure that initial and ongoing configuration changes to information systems do not impact security, availability or function of these systems.


The organization:

  1. Develops an Information System Contingency Plan (ISCP) (CP001) for the information system that:
    1. Identifies essential missions and business functions and associated contingency requirements
    2. Provides recovery objectives, restoration priorities, and metrics
    3. Addresses contingency roles, responsibilities, assigned individuals with contact information
    4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure
    5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
    6. Is reviewed and approved by the Information Security Team (PL002) and approved by the CISO.
  2. Distributes copies of the contingency plan to Information Security Team (PL002)
  3. Coordinates contingency planning activities with incident handling activities
  4. Reviews the contingency plan for the information system annually
  5. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing
  6. Communicates contingency plan changes to the Information Security Team (PL002)
  7. Protects the contingency plan from unauthorized disclosure and modification.

The Information System Contingency Plan (ISCP) has been generated to fulfill this requirement.


The organization provides contingency training to information system users consistent with assigned roles and responsibilities:

  1. Within a 10 day period of assuming a contingency role or responsibility
  2. When required by information system changes
  3. Annually thereafter.


The organization:

  1. Tests the contingency plan for the information system annually using test defined in the ISCP to determine the effectiveness of the plan and the organizational readiness to execute the plan
  2. Reviews the contingency plan test results
  3. Initiates corrective actions, if needed (using the Change Management Process).


The organization:

  1. Conducts backups of user-level information contained in the information system daily
  2. Conducts backups of system-level information contained in the information system daily
  3. Conducts backups of information system documentation including security-related documentation daily
  4. Protects the confidentiality, integrity, and availability of backup information at storage locations.

Backup services from our FedRAMP-accredited hosted partners are used to meet this requirement.


The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.

Procedure is documented in the ISCP.


  • Quarterly Management Review (MR002) includes verification of Training (CP-3), verification of backup system function (CP-9) and last CP-4
  • Annual Management Review (MR001) includes review of this policy and CP001.