UNCLASSIFIED (U)

5 FAM 850

CONTINGENCY PLANNING POLICY FOR INFORMATION TECHNOLOGY

(CT:IM-343;   06-23-2025)
(Office of Origin:  DT/ECISO/PLT)

5 FAM 851  Summary

(CT:IM-343;   06-23-2025)

This subchapter establishes requirements for the Department’s contingency planning for both Unclassified and Classified information technology (IT) systems.

5 FAM 851.1  Scope

(CT:IM-343;   06-23-2025)

These regulations establish the Department's contingency planning policy for both Classified (see 12 FAM 632.3) and Unclassified (see 12 FAM 623.7) information technology and systems, whether Department managed or managed on behalf of the Department by another organization.

5 FAM 851.2  Purpose of Contingency Planning

(CT:IM-343;   06-23-2025)

a. Contingency plans (CPs) provide key information needed for system recovery, including roles and responsibilities, limits for  maximum tolerable downtime, recovery priorities, detailed recovery procedures, and requirements for training, testing, and exercises.

b. Contingency planning supports business resiliency and continuity.  It addresses critical and key information system resources, recovery, and reconstitution of essential cyber capabilities by mitigating the risk of system and service unavailability.

c.  The contingency planning guidance provided in this policy is required for cloud computing, governed by the Federal Risk and Authorization Management Program FedRAMP) to meet Federal and Department requirements.

d. Two terms address requirements for the Department contingency plans, at the enterprise and system/application level:

(1)  The Information Technology (IT) Contingency Plan (ITCP) is used for the overall critical IT infrastructure at post, and covers any incidents that disrupt business operations: cyber, natural disaster, manmade, etc.  Posts are required to have a current and valid/approved ITCP to aid in the prompt, response, recovery, and restoration of operations while protecting Department information and systems that store and manage that information.  The ITCP must be tested, reviewed, and updated at least annually, and approved by the system owner; and

(2)  The Information System Contingency Plan (ISCP) is used for individual systems/applications.  SCPs must include roles and responsibilities, procedures, and technical measures that enable the recovery and reconstitution of individual information systems following a disruption or cyber incident.  An ISCP is unique to each system/application, is tested, reviewed, and updated at least annually, and approved by the system owner.  Contingency planning addresses both system restoration and implementation of alternative mission/business processes to achieve mission resiliency when systems are compromised (See 12 FAH-1 H-242).

e. To effectively ensure mission resiliency, contingency plans  (ITCPs and ISCPs) must be integrated into broader business continuity and emergency response plans [e.g., Bureau Emergency Action Plan (BEAP), post’s EAP, etc.].

Note: Posts are required to document the ITCP point of contact and location where the ITCP is stored at post in Annex E 4.3 of post’s Emergency Action Plan (see 12 FAH-1 Annex E 4.3 for requirement).

5 FAM 851.3  Distinctions between ITCP and ISCP

(CT:IM-343;   06-23-2025)

The table below explains distinctions between ITCP and ISCP.

Table 1: Distinctions between ITCP and ISCP

ITCP (Post Only)

ISCP (Systems)

1.   Custom term for Contingency Plan at Post only used within the Department

1.   Federally accepted term for a respective Contingency Plan (NIST SP 800-34)

2.  Designated for IT infrastructure at Post  for  the Information Systems Center (ISC) [Unclassified] and the Information Programs Center (IPC) [Classified]

2.   Designated for all Department individual system(s)/application(s)

3.   Template managed and disseminated by information system security officer (ISSO) Oversight office that includes a Business Impact Assessment (BIA) template; DT/CO/ISSO

3.  The ISCP Template (along with the BIA as an appendix) is built into the Department’s FISMA Systems Governance Risk and Compliance tool (Archangel) and Xacta-C and also managed and disseminated by the DT/CO/AA Office, which is responsible for operating the Department’s FISMA  Assessment and Authorization (A&A) program.  DT

4.   System Owner ultimately responsible to ensure ITCP is valid, current, and tested.

a.   ISSO assists in creating, maintaining, and testing the ITCP I.A.W 12 FAH-10 H-232.1-3, 3-3

4.   System Owner ultimately responsible to ensure ISCP is valid, current, and tested.

a.   ISSO assists in creating, maintaining, and testing the ISCP I.A.W 12 FAH-10 H-232.1-3, 3-3

5.   Must be integrated with broader business continuity and emergency response plans, e.g. BEAP, Post’s EAP, etc.

5.  Must be integrated with broader business continuity and emergency response plans, e.g. BEAP, Post’s EAP

6.   Minimum content required for the Unclassified and Classified network(s):

a.   Critical information for  system recovery

b.   Roles and responsibilities

c.    Inventory information

d.   Assessment procedures

e.   Detailed recovery procedures, and testing of a system

6.   Minimum content required:

a.   Critical information for system recovery

b.   Roles and responsibilities

c.    Inventory information

d.   Assessment procedures

e.   Detailed recovery procedures, and testing of a system

 

5 FAM 851.4  Requirements for ISCP for Cloud and Hybrid-Cloud Environments

(CT:IM-343;   06-23-2025)

The table below outlines requirements for ISCP for Cloud and Hybrid-Cloud environments.

Table 2: Requirements for ISCP for Cloud and Hybrid-Cloud Environments

 

Cloud Systems

Hybrid  Systems

(On-Site and Cloud)

1.   FedRAMP ISCP developed

1.   A combination of  FedRAMP ISPC and NIST  800-34 ISCP , which distinguishes controls not covered in FedRAMP

2.   Designated for IT systems contained entirely within one or more Cloud Service Provider (CSP) environments

2.   Designated for IT systems contained in both on-site (datacenter) and CSP environments

3.   FedRAMP ISCP Template managed and disseminated by FedRAMP as an attachment to the SSP

3.   Template(s) managed by DT/CO/AA and FedRAMP

4.   System owner ultimately responsible to ensure ISCP is valid, current, and tested

a.   ISSO assists in creating, maintaining, and testing the ISCP

4.   System owner ultimately responsible to ensure ISCP is valid, current, and tested

a.   ISSO assists in creating, maintaining, and testing the ISCPs

5.   Must be integrated with broader business continuity and emergency response plans, e.g., BEAP or Post’s EAP

5.   Must be integrated with broader business continuity and emergency response plans, e.g., BEAP or Post’s EAP

6.   Minimum content required:

a.   Critical information for system recovery

b.   Roles and responsibilities

c.    Inventory information

d.   Assessment procedures

e.   Detailed recovery procedures, and testing of a system

6.   Minimum content required:

a.   Critical information for system recovery

b.   Roles and responsibilities

c.    Inventory information

d.   Assessment procedures

e.   Detailed recovery procedures, and testing of a system

5 FAM 852  RESPONSIBILITIES

(CT:IM-343;   06-23-2025)

Key CP roles and responsibilities associated with oversight, contingency planning, security, and governance include:

5 FAM 852.1  Office of  Policy, Liaison, and Training (DT/E-CISO/PLT)

(CT:IM-343;   06-23-2025)

On behalf of the CIO/E-CISO, PLT:

(1)  Oversees and addresses the Department’s policy and governance issues related to integrating current Federal cybersecurity technology requirements and compliance policies for contingency planning;

(2)  Collaborates with Office of Emergency Management (OEM) on Department internal continuity exercises involving contingency planning, e.g., functional and/or Tabletop Exercise (TTX);

(3)  Collaborates with OEM to integrate contingency plans  with other continuity plans;

(4)  Provides policy and contingency planning process guidance concerning the CP templates available; and

(5)  Ensures this policy is reviewed and updated at least annually, or following an event or requirement of an authoritative source that requires an update to the policy, so that it reflects current Federal requirements concerning contingency planning.

5 FAM 852.2  Office of Information System Security Officer (DT/CO/ISSO) Oversight

(CT:IM-343;   06-23-2025)

On behalf of the CIO, E-CISO, and the DCIO for Cyber Operations, ISSO Oversight is responsible for the following:

(1)    Oversees the Department ISSO Program by directing the coordination of ISSO activities within both its domestic facilities and at its overseas missions (see 1 FAM 273.1 (1));

(2)    Track completion of annual approved CPs for every post.  Notifies the regional bureau and post system owner to remediate if the annual, approved CP is overdue.

(3)    Develops, maintains, and disseminates the ITCP template that includes the BIA template; and

(4)    Coordinates with the Post IT staff to integrate CPs with the business continuity and emergency response plans at post, including post’s EAP.

5 FAM 852.3  Office of Assessment and Authorization (A&A), Cyber Operations (DT/CO/AA)

(CT:IM-343;   06-23-2025)

On behalf of the CIO, E-CISO, and DCIO for Cyber Operations, the A&A Office:

(1)  Oversees A&A program within the Department.

(2)  Develops guidance and provides oversight to systems owners ensuring the Department’s systems are compliant with FISMA 2014;

(3)  Develops, maintains, and disseminates CP template that includes the BIA template; and in coordination with mission processes, ensures CPs are updated, reviewed and tested annually, and approved by the system owner.

(4)  Validates/verifies CP controls in accordance with the current version of NIST SP 800-53 are addressed during the A&A process, to include but not limited to CP testing.

(5)  Ensures systems/applications that go through the A&A process contain a current and valid ISCP, to include the BIA in accordance with current version of NIST SP 800-53.

NOTE:  Unclassified system A&A artifacts, to include the BIA, are stored in Archangel; classified system A&A artifacts are stored in Xacta-C;

(6)  Ensures Plan of Action and Milestones (POA&M) item(s) are created for vulnerabilities resulting from partially or fully failed CP security controls.

5 FAM 852.4  Compliance Reporting (CR) Division, Office of Information  Technology Security Compliance (DT/E-CISO/CR)

(CT:IM-343;   06-23-2025)

On behalf of the CIO, E-CISO, and CR:

(1)  Oversees the CR Program within the Department;

(2)  Verifies and validates the CP POA&M item(s) that were created for vulnerabilities resulting from partially or fully failed CP security controls have been mitigated/remediated by the system owner(s); and

(3)  Monitors CP POA&M items(s) and ensures milestones for addressing identified weaknesses are addressed by their deadline.

5 FAM 852.5  Office of Emergency Management (A/OEM)

(CT:IM-343;   06-23-2025)

OEM is responsible for the following:

(1)  Develops, implements, and manages the Department’s continuity and domestic emergency management programs in coordination with bureaus and offices in the event of a disruption to normal business operations (see 6 FAM 410);

(2)  Conducts a comprehensive Business Process Analysis (BPA) and BIA to identify the Department’s Essential Functions as part of the Department’s continuity and resiliency programs.  BIAs conducted in accordance with Federal Continuity Directives ensure alignment and support of Mission Essential Functions (MEFs) and any interdependencies;

(3)  Develops, maintains, and disseminates the Bureau Emergency Action Plan (BEAP) templates used by Bureaus to improve the safety and resiliency of facilities;

(4)  Maintains the Departments continuity plans;

(5)  Provides guidance and assistance to bureaus during the biennial BPA/BIA to identify the essential functions and integrate other continuity planning requirements; and

(6)  Provides information from the biennial Department BPA/BIA and Risk Assessment to DT to support FISMA requirements and DT contingency plans.

5 FAM 852.6  Application Design and Delivery (DT)

(CT:IM-343;   06-23-2025)

Manages the Department’s cloud instances through a FedRAMP-authorized cloud service offering of the following platforms (see 5 FAH-8 H-353):

(1)  Software as a Service (SaaS);

(2)  Platform as a Service (PaaS);

(3)  Infrastructure as a Service (IaaS).

5 FAM 852.7  Bureau Executive Director Responsibilities

(CT:IM-343;   06-23-2025)

Designates in writing a cleared U.S. citizen who is a Full Time Equivalent (FTE) civil service or foreign service representative under the Bureau Executive Director’s supervision with CP responsibilities.  The cleared U.S. citizen FTE is responsible to:

(1)    Ensure system owners complete CP requirements  for  annual testing and obtain approvals or  their area of responsibility (see 12 FAH-10 H-230);

(2)    Ensure the designated government lead integrates CPs into respective business continuity plans;

(3)    Coordinate IPO/ISO activities with the IMO (if at post), which includes but is not limited to ensuring cyber security, user support, and project support duties on all networks and IT-based solutions under the Department's authority as required;

(4)    Ensure system owners incorporate contingency planning into individual performance plans ;

(5)    Ensure that contracts used to support IT operations that support essential functions incorporate appropriate contract clauses, contract language, quality assurance plans, and deliverables for contingency  requirements throughout the system development lifecycle.

(6)    Ensure that stakeholder responsibilities are defined and communicated across the organization to include delegations of responsibility.

(7)    Ensure systems owners allocate sufficient resources to remediate CP POA&M items by deadline; and testing, training and exercises are conducted on an annual basis at minimum; and

(8)    Ensure the results of contingency planning, backup and recovery performance are communicated regularly to executive teams and system owners; and that the data supporting contingency planning metrics are obtained accurately and consistently in a reproducible format.

5 FAM 853  Management commitment

(CT:IM-343;   06-23-2025)

5 FAM 853.1  Management Commitment

(CT:IM-343;   06-23-2025)

a. The Department's IT Security and Privacy Program mission is to ensure that Department infrastructure, assets, and remote services are protected while maintaining an open and collaborative environment.

b. Department senior management established and maintains a comprehensive IT Security and Privacy Program that is consistent with government-wide guidance and industry best practices.

c.  Department senior management ensures security and privacy remain high priorities and investment in resources is sufficient to ensure adequate compliance.

d. Department senior management ensures effective allocation of resources for the level of protection based on Departmental organizational priorities.

5 FAM 853.2  Management/Supervisor Responsibilities

(CT:IM-343;   06-23-2025)

a. Must be a cleared U.S. citizen FTE civil service or foreign service representative.

b. Ensures the designated individual(s) execute their contingency planning responsibilities in accordance with applicable Federal and Department policies.

5 FAM 853.3  System Owners (SOs) Responsibilities

(CT:IM-343;   06-23-2025)

a. Must be a cleared U.S. citizen FTE civil service or foreign service representative.

b. System owners are responsible and accountable for meeting contingency planning  requirements (see  12 FAH-10 H-230), which includes, but is not limited to conducting, or officially delegating the responsibility in writing to:

(1)    Create a CP for all system/applications under their authorization to go through the A&A process; and

(2)    Conduct a BIA as part of contingency planning and developing recovery priorities.

c.  Aligning maximum tolerable downtimes and recovery priorities based on business continuity requirements for essential functions identified during the Department’s functional BPA.

d. Determining backup and recovery consistently based on the Recovery Point Objective defined in the BIA; documenting backup procedures; maintaining data on completed procedures and making results available.

e. Identifying and documenting alternate storage and processing sites in the CP and configuring these sites with information security safeguards and backup and recovery solutions equivalent to those of the primary site.

f.  Allocating sufficient resources to maintain a state of readiness via testing, training, and exercises.

g. Reviewing, updating and approving each CP at least annually or following a significant change to the system or cybersecurity posture.

h. Mitigating and remediating risk and vulnerabilities from CP POA&M items(s) and any other weaknesses in CP security controls in a timely manner in accordance with the system’s FIPS 199 designation.

i.  Developing metrics and other performance data on the effectiveness of backup and restoration activities, as well as annual training, testing, and exercises.

j.  Documenting processes to ensure data is accurate, consistent, and stored in a reproducible format.

k. Integrating CP requirements into contracts used to support IT systems throughout the systems development lifecycle, to include but not limited to appropriate contract clauses, contract language, quality assurance plans, and deliverables.

l.  Ensuring CP requirements are evident with the employment of a cloud computing platform, e.g., SaaS, PaaS, and IaaS.

5 FAM 853.4  ISSO Responsibilities

(CT:IM-343;   06-23-2025)

Must be a cleared U.S. citizen FTE civil service or foreign service representative and perform the following  contingency  planning  activities (see 12 FAH-10 H-230):

(1)  Ensures the current version of NIST SP 800-34 is followed for all their systems and/or applications to establish thorough CP(s);

(2)  Verifies backup and recovery are performed; and procedures are documented, maintained, and available.

(3)  Communicates with stakeholders, executives, and/or system owners about CP requirements, to include but not limited to:

(a)  Sharing metrics, lessons learned and results on the effectiveness of:

(i)     Backup and recovery strategies and procedures; and

(ii)    Annual testing, training and exercises as listed in the current version of NIST SP 800-84.

(b)  Resources needed to remediate CP POA&M items or other weaknesses in a timely manner.

(4)  Verifies contingency plans are:

(a)  Created and maintained for each system throughout the systems development lifecycle;

(b)  Aligned with recovery requirements to perform essential functions.

(c)  Approved and tested annually at minimum and when a significant change to the system or cybersecurity posture occurs.

(d)  Integrated into other business continuity and emergency response plans at the bureau, post and/or facility level, as appropriate.

(e)  Alternate storage and processing sites are configured with the same level of safeguards as primary sites.

(f)   Ensure that current ITCP (if at Post) is maintained in the ISSO/RD ITCP Library.

5 FAM 854  Coordination among Organizational Entities

(CT:IM-343;   06-23-2025)

Coordination among organization entities is a policy requirement, per NIST 800-53 Rev 5. In compliance, the DT/E-CISO communicates with bureau, division and office heads through regular senior management meetings. Department stakeholders assess risk, respond to risk once determined, and monitor risk on an ongoing basis using effective organizational communications and a feedback loop to improve risk management activities. Risk management is integrated into the Department's daily tasks to maintain an effective IT Security and Privacy Program.

5 FAM 855  Compliance

(CT:IM-343;   06-23-2025)

a. Compliance is an explicit policy requirement, per NIST 800-53 Rev 5. Policy compliance requirements are addressed through the annual review and update of Foreign Affairs Manuals, annual security and privacy awareness training, and Rules of Behavior signature. The annual Assessment and Authorization Process includes confirmation of compliance with the Contingency Planning Policy. Non-compliance results in a Plan of Action & Milestones and is tracked to resolution.

b. Failure to comply with the Contingency Planning Policy or other information security and privacy policies may result in disciplinary action. In matters of noncompliance with Department security policy, the E-CISO coordinates with the Bureau of Administration and relevant supervisors for appropriate personnel action.

5 FAM 856  REFERENCES

(CT:IM-343;   06-23-2025)

5 FAM 856.1  Acronyms

(CT:IM-343;   06-23-2025)

A&A (Assessment & Authorization)

BEAP (Bureau Emergency Action Plan)

CIO (Chief Information Officer)

CO (Cyber Operations)

CR (Compliance Reporting)

CP (Contingency Planning)

E-CISO (Enterprise Chief Information Security Officer)

FCD (Federal Continuity Directive)

FedRAMP (Federal Risk and Authorization Management Program)

FIPS (Federal Information Processing Standard)

FISMA (Federal Information Security Modernization Act)

FTE (Full Time Equivalent)

IMO (Information Management Officer)

IaaS (Infrastructure as a Service)

DT (Diplomatic Technology Bureau)

DT/E-CISO/PLT (Office of Policy, Liaison, & Training)

ISCP (Information System Contingency Plan)

ISO (Information Systems Officer)

ISSO (Information Systems Security Officer)

IT (Information Technology)

ITCP (Information Technology Contingency Plan)

MEF (Mission Essential Functions)

NIST (National Institute of Standards and Technology)

OEM (Office of Emergency Management)

OMB (Office of Management and Budget)

PaaS (Platform as a Service)

POA&M (Plan of Action and Milestones)

Post’s EAP (Post’s Emergency Action Plan)

SaaS (Software as a Service)

SO (System Owners)

5 FAM 856.2  Definitions

(CT:IM-343;   06-23-2025)

Business continuity is advance planning and preparation to ensure ongoing mission capability following a disruption.

BIA is an analysis mission and business process including all resources needed of an information system, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.  Federal information systems are subject to a system-focused BIA versus a process-focus BIA with Continuity of Operations (COOP).

CP provides key information needed for technology or system recovery, including roles and responsibilities, safeguards for unplanned and planned events, assessment procedures, detailed recovery objectives, priorities and procedures, and testing information.  The documentation can be used to restore cyber connectivity/operations in order to sustain business operations following an unplanned disruption.

Continuity is consistent operation over a period of time.

Disruption is an unplanned event that causes an information system to be inoperable for a length of time (e.g., minor or extended power outage, extended unavailable network, or equipment or facility damage or destruction).

EAP is an operative, living document that must be reviewed at least annually and updated on a continuous basis.  Bureaus and posts use EAPs to effectively respond to any hazard that disrupts business operations as a result of emergencies including but not limited to cyber attacks, natural disasters, human-caused crises, etc. See 12 FAH-1 for post EAP requirements and guidance.

Impact level has high, moderate, or low impact categories of an information system established in FIPS 199 which classify the intensity of a potential impact that may occur if the information system is jeopardized.

Resiliency is the ability to recover quickly or in a timely manner following a disruption.

5 FAM 856.3  Authorities

(CT:IM-343;   06-23-2025)

Authorities for this subchapter are:

(1)    White House Office of Management and Budget (OMB) Circular A-130, Appendix I, Managing Information as a Strategic Resource, July 28, 2016 as amended (downloadable .pdf);

(2)    National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) Publication 199;

(3)    Federal Information Security Modernization Act (FISMA) of 2014 (Title III of Public Law 113-283;

(4)    Federal Continuity Directive (FCD) – 1 Federal Executive Branch - National Continuity Program and Requirements (January 2017) (downloadable .pdf);

(5)    Federal Continuity Directive (FCD) – 2 Mission Essential Functions and Candidate Primary Mission Essential Functions Identification and Submission Process (June 2017) (downloadable .pdf);

(6)    NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations;

(7)    Federal Mission Resilience Strategy;

(8)    Presidential Policy Directive (PPD)-21, Critical Infrastructure and Resilience;

(9)    NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems;

(10)  NIST SP 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy;

(11)  NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities;

(12)  NIST SP 800-100, Information Security Handbook: A Guide for Managers;

(13)  1 FAM 212.3, Office of Emergency Management (A/OEM);

(14)  1 FAM 270, Bureau of Diplomatic Technology;

(15)  5 FAM 100, Information Technology Management;

(16)  5 FAM 1060, Cybersecurity Management;

(17)  12 FAM 620, Unclassified Information System Security Policies;

(18)  12 FAM 630, Classified Information System Security Policies;

(19)  12 FAH-10 H-230, Contingency Planning;

(20)  Federal Risk and Authorization Management Program (FedRAMP);

(21)  5 FAM 1100 Cloud Computing; and

(22)  5 FAH-8 H-350 Cloud Computing.

5 FAM 856.4  Exhibits

(CT:IM-343;   06-23-2025)

N/A

5 FAM 856.5  Additional Resources

(CT:IM-343;   06-23-2025)

N/A

5 FAM 856.6  Related FAM/FAH

(CT:IM-343;   06-23-2025)

1 FAM 212.3 (Office of Emergency Management)

1 FAM 270  (Bureau of Information Resource Management)

5 FAM 100  (Information Technology Management)

5 FAM 1060 (Cybersecurity Management)

5 FAM 1100 (Cloud Computing)

12 FAM 620  (Unclassified Information System Security Policies)

12 FAM 630  (Classified Automated Information Systems)

5 FAH-8 H350 (Cloud Computing)

12 FAH-1 (Emergency Planning Handbook)

12 FAH-10 H-230 (Contingency Planning)

5 FAM 857  through 859 unassigned

UNCLASSIFIED (U)