Information Assurance - COOP Plan Testing (Not in Place for MAC I II Systems or Not Considered for MAC III Systems) - Traditional Security

Associated with IA controls: COMS-1, CODP-1, COTR-1, COAS-2, COPS-2, DCAR-1, DCHW-1, COEF-2, COEF-1, COSW-1, CODP-3, CODB-3, COBR-1, COAS-1, COMS-2, COPS-1, CODP-2, COED-2, CODB-2, COSP-2, COSP-1, COEB-2, COEB-1, COED-1, COPS-3, CODB-1

SV-41043r2_rule Information Assurance - COOP Plan Testing (Not in Place for MAC I II Systems or Not Considered for MAC III Systems)

Vulnerability discussion

Failure to develop a COOP and test it periodically can result in the partial or total loss of operationsand INFOSEC. A contingency plan is necessary to reduce mission impact in the event of systemcompromise or disaster.

Check content

Check there is a written COOP plan for inspected systems: 1. For Mission Assurance Category (MAC) III systems only: If a COOP or Disaster Recovery Plan is not in place, ensure the DAA has considered and accepted the risk (specifically for lack of COOP) in a Risk Assessment. 2. Check COOP documentation for plan testing, discrepancies noted and if corrective action taken. 3. Conduct a cursory review of the COOP to ensure it is commensurate with the MAC Level of the system concerning recovery times and testing requirement(s). NOTES: 1. Certain large computing centers like the DISA Computing Services (DECCs) may offer COOP as a fee for service option. Since this is applicable to "customer" applications it should not be a finding attributed to the DECC. If appropriate, COOP or lack thereof if cited as a finding in this instance should be attributed to the specific customer. 2. This requirement should not be applied to a tactical environment, unless it is a fixed computer facility supporting operations within a Theater of Operations. The standards to be applied for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over 1-year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc.

Fix text

Continuity of Operations Plans (COOP) must be developed and tested commensurate with Mission Assurance Category (MAC) Level for ALL DISN connected systems to ensure system and data availability in the event of any type of failure. For MAC III systems only: If no COOP is in place ensure the risk has been (specifically) accepted by the responsible DAA in a Risk Assessment.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.