On Oct. 27, 2009, the National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) Computer Security Division (CSD) published Special Publication (SP) 800-34 Revision (Rev) 1, "DRAFT Contingency Planning Guide for Federal Information Systems" and requested comments from readers by Jan. 6, 2010.
The official announcement described the SP as follows:
SP 800-34 Revision 1 is intended to help organizations by providing instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures to recover information system services after a disruption. The guide defines a seven-step contingency planning process that an organization may apply to develop and maintain a viable contingency planning program for their information systems. The guide also presents three sample formats for developing an information system contingency plan based on low, moderate, or high impact level, as defined by Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems.
Despite the inclusion of "for Federal Information Systems" in the title, SP 800-34 Rev 1 has a great deal of value for all information assurance and business continuity specialists.
Authors Marianne Swanson, Pauline Bowen, Amy Wohl Phillips, Dean Gallup, and David Lynes include two of the six authors of the June 2002 original version of SP 800-34 (Swanson, Wohl, Lucinda Pope, Tim Grance, Joan Hash and Ray Thomas) and have, as usual for NIST ITL CSD, done a superb job of preparing a framework that lays out a sound basis for business continuity planning (BCP).
The 150-page SP begins with an introduction presenting the purpose, scope and audience for 800-34 Rev 1. Page 13 of the PDF file describes the purpose as providing "guidelines to individuals responsible for preparing and maintaining information system contingency plans (ISCP). The document discusses essential contingency plan elements and processes, highlights specific considerations and concerns associated with contingency planning for various types of information system platforms, and provides examples to assist readers in developing their own ISCPs." This document explicitly excludes discussion of disaster recovery.
The scope is defined as "recommended guidelines for federal organizations"(p 14) and the audience is "managers within federal organizations and those individuals responsible for information systems or security at system and operational levels. It is also written to assist emergency management personnel who coordinate facility-level contingencies with supporting information system contingency planning activities."(p 15) However, references to Federal Information Processing Standards (FIPS) in no way prevents the guidelines from serving organizations outside the U.S. federal government. Indeed, the authors write, "The concepts presented in this document are specific to government systems, but may be used by private and commercial organizations, including contractor systems." They then list a wide range of specific job titles of people likely to find the document useful, including IT managers, CIOs, systems engineers, and system architects.
The authors describe the structure of the document clearly as follows (p16):
• Section 2, Background, provides background information about contingency planning, including the purpose of various security and emergency management-related plans, their relationships to ISCPs, and how the plans are integrated into an organization's overall resilience strategy by implementing the six steps of the Risk Management Framework (RMF)….
• Section 3, Information System Contingency Planning Process, details the fundamental planning principles necessary for developing an effective contingency capability. The principles outlined in this section are applicable to all information systems. This section presents contingency planning guidelines for all elements of the planning cycle, including business impact analysis, alternate site selection, and recovery strategies. The section also discusses the
Post new comment