FedRAMP Contingency Planning: Tips and Tricks

Andy Davidson

Despite being a strict FedRAMP requirement, contingency planning for a Cloud Service Offering (CSO) doesn’t usually get the attention it really deserves.  This can be a ticking time bomb if left unaddressed.

With that in mind, here are a few tips that you should take to heart when thinking about the type of contingency planning and processes that will meet your goals.

Management Commitment and Policy Acceptance

In typical security fashion, without the commitment of your upper management team, any approach for CSO contingency planning will fail.  Proper commitment will include not only verbal and written commitment, but also the financial commitment required to implement the plan itself and perhaps even active participation in relevant exercises.

Once obtained, a Cloud Service Provider (CSP) should develop a formal contingency plan policy statement that provides the authority and guidance required to implement an effective contingency plan.  This policy statement requires the written commitment of upper management.

Development

With the support of upper management, develop a comprehensive contingency plan by executing the following steps:

  1. Business Impact Analysis (BIA): the CSP will need to conduct a BIA to identify and prioritize the critical CSO components/resources, identify outage impacts and allowable outage times, and develop recovery priorities.
  2. Identify Controls to Prevent Disruptions: Upon completion of the BIA, the CSP needs to focus their attention on identifying preventative controls that can help reduce the effects of overall system disruptions while also increasing system availability.
  3. Contingency Plan Development: A formalized contingency plan will contain the process and procedures for restoring a CSO.  The plan must include steps for the notification and activation phase of the plan to document the process of notifying recovery personnel.  A recovery phase should also be included to provide the recovery team with the approved course of actions to restore the CSO.  Lastly, the plan will need to include a phase for reconstitution of the CSO to normal operating conditions.

Training

Every organization should perform real time training for CSO personnel.  Computer-based modules that train personnel on how to implement a contingency plan are helpful. However, real time training provides necessary reinforcement of the contingency planning activities.  This type of training should be performed using all available organization resources to include alerting mechanisms.  Creating a test of your alerting system to kick off the training activity serves as way to test your alerting mechanism and simulate a real-life contingency event as closely as possible.

Testing

CSPs should ban the use of the term “table-top testing” from their vocabulary.  Although cost effective, table-top testing will ensure that the only thing you are prepared for is a campfire chat.

This is the one area where organizations should add more funding to their budgets.  The first step is to look at the contingency plan test in the terms of the overall organization’s brand.  In the age of real time social media input, the damage to an organization’s brand can be irreparable if the CSO is down for any considerable amount of time.

The testing of the contingency plan should incorporate contingency plan training and include an actual failover of the CSO.  Develop potential scenarios that the recovery teams will need to address as they recover the system. Then perform these tasks in a real-life failover. This will truly test system redundancy and test the recovery team’s ability to meet the challenges of different contingency scenarios.

Contact Us to Get Started

38North can help prepare you prepare and implement effective, compliant FedRAMP contingency plans. Contact us to get started.

About the Author
Andy Davidson