Contingency Planning POlicy FOR INFORMATION TECHNOLOGY & SYSTEMS
(CT:IM-324; 06-28-2024)
(Office of Origin: DT/ECISO/PLT)
5 FAM 851 GENERAL information
5 FAM 851.1 Authority
(CT:IM-324; 06-28-2024)
Authorities for this subchapter are:
(1) Circular A-130, OMB White House Office of Management and Budget, Appendix I, Managing Information as a Strategic Resource, July 28, 2016 as amended;
(2) Federal Information Processing Standard (FIPS) Publication 199;
(3) Federal Information Security Modernization Act (FISMA) of 2014 (Title III of Public Law 113-283;
(4) Federal Continuity Directive (FCD) – 1 Federal Executive Branch - National Continuity Program and Requirements (January 2017);
(5) Federal Continuity Directive (FCD) – 2 Mission Essential Functions and Candidate Primary Mission Essential Functions Identification and Submission Process (June 2017);
(6) NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations;
(7) Federal Mission Resilience Strategy;
(8) Presidential Policy Directive (PPD)-21
(9) NIST SP 800-34, Contingency Planning Guide for Federal Information Systems;
(10) NIST SP 800-37, Risk Management Framework for Information Systems and Organizations;
(11) NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities;
(12) 1 FAM 212.3, Office of Emergency Management (A/OEM);
(13) 1 FAM 270, Bureau of Diplomatic Technology;
(14) 5 FAM 100, Information Technology Management;
(15) 5 FAM 1060, Cybersecurity Management;
(16) 12 FAM 620, Unclassified Information System Security Policies;
(17) 12 FAM 630, Classified Information System Security Policies;
(18) 12 FAH-10 H-230, Contingency Planning;
(19) Federal Risk and Authorization Management Program (FedRAMP);
(20) 5 FAM 1100 Cloud Computing; and
(21) 5 FAH-8 H-350 Cloud Computing.
5 FAM 851.2 Purpose
(CT:IM-324; 06-28-2024)
a. These regulations establish the Department of State's (Department) contingency planning policy for both Classified (see 12 FAM 632.3) and Unclassified (see 12 FAM 623.7) information technology and systems; and applies to all information used, stored or managed by the Department, or by a contractor or other organization on behalf of the Department, domestic or abroad.
b. Contingency plans (CP) provide key information needed for system recovery, including roles and responsibilities, limits for maximum tolerable downtime, recovery priorities, detailed recovery procedures, and requirements for training, testing and exercises.
c. Contingency planning helps to ensure business resiliency and continuity. It affects critical and key information system resources, recovery, and reconstitution of essential cyber capabilities by mitigating the risk of system and service unavailability (see Presidential Policy Directive 21) (replaced HSPD 7).
d. Cloud computing, governed by the Federal Risk and Authorization Management Program (FedRAMP), must follow contingency planning guidance provided in this policy to meet Federal and Department requirements.
e. The Department uses two (2) terms to reference contingency plans:
(1) The Information Technology (IT) Contingency Plan (ITCP) is used for the overall critical IT infrastructure at post, and covers any incidents that disrupt business operations: cyber, natural disaster, manmade, etc. Posts are required to have a current and valid/approved ITCP to aid in the prompt, response, recovery, and restoration of operations while protecting Department information and the systems that store and manage that information. The ITCP is tested, reviewed, and updated at least annually, and approved by the system owner; and
(2) The Information System Contingency Plan (ISCP) is used for individual systems/applications. ISCPs include roles and responsibilities, procedures, and technical measures that enable the recovery and reconstitution of individual information systems following a disruption or cyber incident. An ISCP is unique to each system/application, is tested, reviewed, and updated at least annually, and approved by the system owner. Contingency planning addresses both system restoration and implementation of alternative mission/business processes when systems are compromised in order to achieve mission resiliency;
f. To effectively ensure mission resiliency, contingency plans (ITCPs and ISCPs) must be integrated into broader business continuity plans (e.g., Bureau Emergency Action Plan (BEAP), etc.
Distinctions between ITCP and ISCP:
|
ITCP (Post Only) |
ISCP (Systems) |
|
1. Custom term for Contingency Plan at Post only used within the Department |
1. Federally accepted term for a respective Contingency Plan (NIST SP 800-34) |
|
2. Designated for IT infrastructure at Post for the Information Systems Center (ISC) [Unclassy] and the Information Programs Center (IPC) [Classified] |
2. Designated for individual system(s)/application(s) |
|
3. Template managed and disseminated by information system security officer (ISSO) Oversight office that includes a BIA template; DT/CO/ISSO |
3. Template is built into Exacta-O and also managed and disseminated by the Office of Assessment and Authorization (A&A) that includes a BIA template; DT/CO/AA |
|
4. System Owner ultimately responsible to ensure ITCP is valid, current, and tested. a. ISSO assists in creating, maintaining, and testing the ITCP I.A.W 12 FAH-10 H-232.1-3, 3-3 |
4. System Owner ultimately responsible to ensure ISCP is valid, current, and tested. a. ISSO assists in creating, maintaining, and testing the ISCP I.A.W 12 FAH-10 H-232.1-3, 3-3 |
|
5. Must be integrated with broader business continuity plans, e.g. BEAP, Post EAP, etc. |
5. Must be integrated with broader business continuity plans, e.g. BEAP, Post EAP, etc. |
|
6. Minimum content required for the unclasps and Classified network(s): a. Critical information for system recovery; b. Roles and responsibilities; c. Inventory information; d. Assessment procedures; e. Detailed recovery procedures, and testing of a system. |
6. Minimum content required: a. Critical information for system recovery; b. Roles and responsibilities; c. Inventory information; d. Assessment procedures; e. Detailed recovery procedures, and testing of a system. |
Requirements for ISCP for Cloud and Hybrid-Cloud:
|
Cloud Systems |
Hybrid Systems (On-Site and Cloud) |
|
1. FedRAMP ISCP as attachment to the FedRAMP SSP |
1. Potentially a combination of a NIST SP 800-34 ISCP and a FedRAMP ISPC |
|
2. Designated for IT systems contained entirely within one or more Cloud Service Provider (CSP) environments. |
2. Designated for IT systems contained in both on-site (datacenter) and CSP environments. |
|
3. FedRAMP ISCP Template managed and disseminated by FedRAMP as an attachment to the SSP. |
3. Template(s) managed by DT/CO/AA and FedRAMP |
|
4. System Owner ultimately responsible to ensure ISCP is valid, current, and tested. a. ISSO assists in creating, maintaining, and testing the ISCP |
4. System Owner ultimately responsible to ensure ISCP is valid, current, and tested. a. ISSO assists in creating, maintaining, and testing the ISCPs |
|
5. Must be integrated with broader business continuity plans, e.g., BEAP or Post EAP |
5. Must be integrated with broader business continuity plans, e.g., BEAP or Post EAP |
|
6. Minimum content required: a. Critical information for system recovery; b. Roles and responsibilities; c. Inventory information; d. Assessment procedures; e. Detailed recovery procedures, and testing of a system. |
6. Minimum content required: a. Critical information for system recovery; b. Roles and responsibilities; c. Inventory information; d. Assessment procedures; e. Detailed recovery procedures, and testing of a system. |
5 FAM 851.3 Definitions
(CT:IM-283; 05-19-2021)
Business continuity: Advance planning and preparation to ensure ongoing mission capability following a disruption.
Business Impact Analysis (BIA): An analysis mission and business processes including all resources needed of an information system, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption. Federal information systems are subject to a system-focused BIA versus a process-focus BIA with Continuity of Operations (COOP).
Contingency plan (CP): Provides key information needed for technology or system recovery, including roles and responsibilities, safeguards for unplanned and planned events, assessment procedures, detailed recovery objectives, priorities and procedures, and testing information. The documentation can be used to restore cyber connectivity/operations in order to sustain business operations following an unplanned disruption.
Continuity: Consistent operation over a period of time.
Disruption: An unplanned event that causes an information system to be inoperable for a length of time (e.g., minor or extended power outage, extended unavailable network, or equipment or facility damage or destruction).
Emergency Action Plan (EAP): An operative Emergency Action Plan (EAP) is a living document that must be reviewed at least annually and updated on a continuous basis. Bureaus and posts use EAPs to effectively respond to any hazard that disrupts business operations as a result of cyber, natural disaster, manmade, etc.
Impact level: High, moderate, or low impact categories of an information system established in FIPS 199 which classify the intensity of a potential impact that may occur if the information system is jeopardized.
Resiliency: Ability to recover quickly or in a timely manner following a disruption.
5 FAM 852 RESPONSIBILITIES
(CT:IM-283; 05-19-2021)
Key CP roles and responsibilities associated with the oversight, contingency planning, security, and governance include:
5 FAM 852.1 Office of Policy, Liaison, and Training (DT/E-CISO/PLT)
(CT:IM-324; 06-28-2024)
(1) Oversees and addresses the Department’s policy and governance issues related to integrating current federal cybersecurity technology requirements and compliance policies for contingency planning;
(2) Collaborates with Office of Emergency Management (OEM) on Department internal continuity exercises involving contingency planning, e.g. functional and/or Table Top Exercise (TTX);
(3) Collaborates with OEM to integrate contingency plans with other continuity plans;
(4) Provides policy and contingency planning process guidance concerning the CP templates available to posts and system owners; and
(5) Ensures this policy is reviewed and updated periodically, but not less than annually, to ensure it reflects current federal requirements concerning contingency planning.
5 FAM 852. 2 Office of Information System Security Officer (DT/CO/ISSO) Oversight
(CT:IM-324; 06-28-2024)
(1) Oversees the ISSO Program within the Department by directing the coordination of ISSO activities through the Department enterprise that includes its domestic facilities and overseas missions (see 1 FAM 273.1 (1));
(2) Coordinates and verifies with every post to track and remind posts that current and approved CPs are required. When posts are delinquent notify the regional bureau and post system owner to remediate;
(3) Develops, maintains, and disseminates the ITCP template that includes the BIA template; and
(4) Coordinates with the Post IT staff to integrate CPs with the business continuity plans at post, as well as the EAP) at Post.
5 FAM 852. 3 Office of Assessment and Authorization (A&A), Cyber Operations (DT/CO/AA)
(CT:IM-324; 06-28-2024)
(1) Oversees A&A program within the Department;
(2) Develops guidance and provides oversight to systems owners ensuring the Department’s systems are compliant with FISMA 2014;
(3) Develops, maintains, and disseminates CP template that includes the BIA template; and in coordination with mission processes, ensures CPs are updated, reviewed and tested annually, and approved by the system owner;
(4) Validates/verifies CP controls in accordance with the current version of NIST SP 800-53 are properly addressed during the A&A process, to include but not limited to CP testing;
(5) Ensures systems/applications that go through the A&A process contain a current and valid ISCP, to include the BIA in accordance with current version of NIST SP 800-53;
NOTE: A&A artifacts, to include the BIA, are stored in Xacta if the system/application was authorized using Xacta or the A&A library;
(6) Ensures Plan of Action and Milestones (POA&M) item(s) are created for vulnerabilities resulting from partially or fully failed CP security controls.
5 FAM 852. 4 Compliance Reporting (CR) Division, Office of Information Technology Security Compliance (DT/E-CISO/CR)
(CT:IM-324; 06-28-2024)
(1) Oversees the CR Program within the Department;
(2) Verifies and validates the CP POA&M item(s) that were created for vulnerabilities resulting from partially or fully failed CP security controls have been mitigated/remediated by the system owner(s); and
(3) Monitors CP POA&M items(s) and ensures milestones for addressing identified weaknesses are addressed in a timely manner.
5 FAM 852.5 Office of Emergency Management (A/OEM)
(CT:IM-302; 06-06-2023)
a. Develops, implements, and manages the Department’s continuity and domestic emergency management programs in coordination with bureaus and offices in the event of a disruption to normal business operations (see 6 FAM 410).
b. Conducts a comprehensive Business Process Analysis (BPA) and BIA to identify the Department’s Essential Functions as part of the Department’s continuity and resiliency programs. BIAs conducted in accordance with Federal Continuity Directive (FCD-1/2) ensure alignment and support of mission essential processes and any interdependencies.
c. Develops, maintains, and disseminates the Emergency Action Plan (EAP) templates used by Bureaus and facilities to ensure resiliency of essential functions.
d. Maintains the Departments continuity plans and ensures the plans take FISMA requirements into account.
e. Collaborates and provides guidance to bureaus during the BPA/BIA to identify essential functions and integrate other continuity planning requirements, including contingency plans.
5 FAM 852.6 Cloud Program Management Office (DT/OPS/CPMO)
(CT:IM-324; 06-28-2024)
Manages the Department’s cloud instances through the respective and authorized CSP through a FedRAMP authorized cloud service offering of the following platforms:
(1) Software as a Service (SaaS);
(2) Platform as a Service (PaaS);
(3) Infrastructure as a Service (IaaS).
5 FAM 852.7 Bureau Executive Director Responsibilities
(CT:IM-283; 05-19-2021)
Designates in writing a cleared U.S. citizen who is a Full Time Equivalent (FTE) under their supervision to:
(1) Carry out their assigned IT security responsibilities;
(2) Ensures CP requirements for annual testing and approvals are completed by system owners for their area of responsibility (see 12 FAH-10 H-230);
(3) Ensures the designated government lead integrates CPs into respective business continuity plans;
(4) Coordinates IPO/ISO activities with the IMO (if at post), which includes but is not limited to ensuring cyber security, user support, and project support duties on all networks and IT-based solutions under the Department's authority as required;
(5) Ensures contingency planning is incorporated into individual performance plans for system owners;
(6) Ensures that contracts used to support IT operations that support essential functions incorporate appropriate contract clauses, contract language, quality assurance plans, and deliverables for contingency requirements throughout the system development lifecycle;
(7) Ensures that responsibilities of stakeholders involved in CP have been defined and communicated across their organization to include appropriate delegations of responsibility;
(8) Ensures systems owners have conducted sufficient resource planning to ensure CP POA&M items may be remediated in a timely manner; and testing, training & exercises may be conducted on an annual basis at minimum; and
(9) Ensures the results of contingency planning, backup and recovery performance are communicated consistently to executive teams and system owners; and that the data supporting contingency planning metrics are obtained accurately and consistently in a format that may be reproduced.
5 FAM 852.8 Management/Supervisor Responsibilities
(CT:IM-283; 05-19-2021)
a. Must be a cleared U.S. citizen Full Time Equivalent (FTE)
b. Ensures the designated individual(s) execute their contingency planning responsibilities in accordance with applicable Federal and Department policies.
5 FAM 852.9 System Owners (SOs) Responsibilities
(CT:IM-283; 05-19-2021)
a. Must be a cleared U.S. citizen FTE.
b. System owners are responsible and accountable for meeting contingency planning requirements (see 12 FAH-10 H-230), which includes, but are not limited to:
(1) Conducting, or officially delegating the responsibility in writing to:
(a) Create a CP for all system/applications under their authorization to go through the A&A process and
(b) Conduct a Business Impact Analysis (BIA) as part of contingency planning and developing recovery priorities.
c. Aligning maximum tolerable downtimes and recovery priorities based on business continuity requirements for essential functions identified during the Department’s functional BPA.
d. Performing backup and recovery consistently based on the Recovery Point Objective defined in the BIA; documenting backup procedures; maintaining data on completed procedures, and making results available.
e. Identifying and documenting alternate storage and processing sites in the CP and configuring these sites with information security safeguards and backup and recovery solutions equivalent to those of the primary site.
f. Allocating sufficient resources to maintain a state of readiness via testing, training and exercises;
g. Reviewing, updating and approving each CP at least annually or following a significant change to the system or cybersecurity posture.
h. Mitigating and remediating risk and vulnerabilities from CP POA&M items(s) and any other weaknesses in CP security controls in a timely manner in accordance with the system’s FIPS 199 designation.
i. Developing metrics and other performance data on the effectiveness of backup and restoration activities, as well as annual training, testing and exercises.
j. Documenting processes to ensure data is accurate, consistent, and stored in a reproducible format.
k. Integrating CP requirements into contracts used to support IT systems throughout the systems development lifecycle, to include but not limited to appropriate contract clauses, contract language, quality assurance plans, and deliverables.
l. Ensuring CP requirements are evident with the employment of a cloud computing platform, e.g. SaaS, PaaS, and IaaS.
5 FAM 852.10 ISSO Responsibilities
(CT:IM-283; 05-19-2021)
Must be a cleared U.S. citizen and FTE and perform the following contingency planning activities (see 12 FAH-10 H-230):
(1) Ensures the current version of NIST SP 800-34 is followed for all their systems and/or applications to establish thorough CP(s);
(2) Verifies backup and recovery are performed; and procedures are documented, maintained, and available;
(3) Communicates with mission/business stakeholders, executives, and/or system owners about CP requirements, to include but not limited to:
(a) Sharing metrics, lessons learned and results on the effectiveness of:
(i) Backup and recovery strategies and procedures; and
(ii) Annual testing, training and exercises as listed in the current version of NIST SP 800-84.
(b) Resources needed to remediate CP POA&M items or other weaknesses in a timely manner.
(4) Verifies contingency plans are:
(a) Created and maintained for each system throughout the systems development lifecycle;
(b) Aligned with recovery requirements to perform essential functions;
(c) Approved and tested annually at minimum and when a significant change to the system or cybersecurity posture occurs;
(d) Integrated into other business continuity plans at the bureau, post and/or facility level, as appropriate;
(e) Alternate storage and processing sites are configured with the same level of safeguards as primary sites.
5 FAM 853 through 859 unassigned