| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CP-3 |
FedRAMP_High_R4_CP-3 |
FedRAMP High CP-3 |
Contingency Planning |
Contingency Training |
Shared |
n/a |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know
when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on
contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2.
References: Federal Continuity Directive 1; NIST Special Publications 800-16, 800-50. |
link |
1 |
| FedRAMP_Moderate_R4 |
CP-3 |
FedRAMP_Moderate_R4_CP-3 |
FedRAMP Moderate CP-3 |
Contingency Planning |
Contingency Training |
Shared |
n/a |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know
when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on
contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2.
References: Federal Continuity Directive 1; NIST Special Publications 800-16, 800-50. |
link |
1 |
| hipaa |
1304.02e3Organizational.1-02.e |
hipaa-1304.02e3Organizational.1-02.e |
1304.02e3Organizational.1-02.e |
13 Education, Training and Awareness |
1304.02e3Organizational.1-02.e 02.03 During Employment |
Shared |
n/a |
Personnel with significant security responsibilities receive specialized education and training on their roles and responsibilities: (i) prior to being granted access to the organization’s systems and resources; (ii) when required by system changes; (iii) when entering into a new position that requires additional training; and, (iv) no less than annually thereafter. |
|
9 |
| hipaa |
1311.12c2Organizational.3-12.c |
hipaa-1311.12c2Organizational.3-12.c |
1311.12c2Organizational.3-12.c |
13 Education, Training and Awareness |
1311.12c2Organizational.3-12.c 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
The organization’s employees are provided with crisis management awareness and training. |
|
3 |
| hipaa |
1313.02e1Organizational.3-02.e |
hipaa-1313.02e1Organizational.3-02.e |
1313.02e1Organizational.3-02.e |
13 Education, Training and Awareness |
1313.02e1Organizational.3-02.e 02.03 During Employment |
Shared |
n/a |
The organization provides incident response and contingency training to information system users consistent with assigned roles and responsibilities within 90 days of assuming an incident response role or responsibility; when required by information system changes; and within every 365 days thereafter. |
|
3 |
| hipaa |
1669.12d1Organizational.8-12.d |
hipaa-1669.12d1Organizational.8-12.d |
1669.12d1Organizational.8-12.d |
16 Business Continuity & Disaster Recovery |
1669.12d1Organizational.8-12.d 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
The business continuity planning framework addresses a specific, minimal set of information security requirements. |
|
6 |
| ISO27001-2013 |
A.7.2.2 |
ISO27001-2013_A.7.2.2 |
ISO 27001:2013 A.7.2.2 |
Human Resources Security |
Information security awareness, education and training |
Shared |
n/a |
All employees of the organization and, where relevant, contractors shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. |
link |
15 |
| NIST_SP_800-53_R4 |
CP-3 |
NIST_SP_800-53_R4_CP-3 |
NIST SP 800-53 Rev. 4 CP-3 |
Contingency Planning |
Contingency Training |
Shared |
n/a |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know
when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on
contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2.
References: Federal Continuity Directive 1; NIST Special Publications 800-16, 800-50. |
link |
1 |
| NIST_SP_800-53_R5 |
CP-3 |
NIST_SP_800-53_R5_CP-3 |
NIST SP 800-53 Rev. 5 CP-3 |
Contingency Planning |
Contingency Training |
Shared |
n/a |
a. Provide contingency training to system users consistent with assigned roles and responsibilities:
1. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
2. When required by system changes; and
3. [Assignment: organization-defined frequency] thereafter; and
b. Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
link |
1 |
| SWIFT_CSCF_v2022 |
9.1 |
SWIFT_CSCF_v2022_9.1 |
SWIFT CSCF v2022 9.1 |
9. Ensure Availability through Resilience |
Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. |
Shared |
n/a |
Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. |
link |
8 |