A contingency plan must exist in accordance with DOD policy based on the application's availability requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-222636	APSC-DV-003050	SV-222636r1051323_rule		Medium

Description

Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. All applications must document procedures to include business recovery plans, system contingency plans, facility disaster recovery plans, and plan acceptance.

STIG	Date
Application Security and Development Security Technical Implementation Guide	2025-02-12

Details

Check Text (C-24306r1051323_chk)

Review contingency plans.

For high availability applications, verify the contingency plan exists and provides for the smooth transfer of all mission or business essential functions to an alternate site for the duration of an event with little or no loss of operational continuity.

For moderate availability applications, verify the contingency plan exists and provides for the resumption of mission or business essential functions within 12 hours activation or as defined in the contingency plan.

For low availability applications, verify the contingency plan exists and provides for the partial resumption of mission or business essential functions within 5 to 30 days of activation as defined in the contingency plan.

If the contingency plan does not exist or does not meet the severity level requirements, this is a finding.

Fix Text (F-24295r1051274_fix)

Create and maintain a contingency plan that identifies essential mission and business functions and associated contingency requirements.