Back to Control Explorer
RE.5.140
Content
Control Acronym
RE
Family
Recovery
CMMC Level
5
800-171 Control #
N/A
CMMC Description
Ensure information processing facilities meet organizationally defined information security continuity, redundancy, and availability requirements.
CMMC Clarification
This practice requires an organization to do what is needed in order for their cybersecurity solutions to continue to function under stress or attack. This means that even if a solution that helps protect the environment has a failure, then other mechanisms will fill in the gap in order for the functionality to continue. Redundant components can help with this as well as proper planning and implementation. If a firewall fails, make sure another firewall can take its place, or the environment should fail closed preventing traffic from passing until the problem can be fixed. By having redundancy in place, an organization may continue operations with confidence knowing their cyber security mission is functioning properly, and the components will continue to operate properly even when failures may be taking place. Example 1 An environment has a log collection server in place for collecting end-point logs from across the enterprise. Knowing this could be a catastrophic problem if the log collection system goes down, the organization plans and creates a clone of the primary log server and has setup the environment to perform automated switch over in case the primary server goes down. This will allow the organization to continue to collect logs, perform analysis, and act on incidents that happen during the time the primary server is down. Example 2 A proxy server that is used to protect an organization against malicious websites by utilization of website categorization is setup by the IT department. If this solution goes down, the company will need to shutoff communication to the Internet or allow people to browse websites without use of the categorization for protection. Loss of this protection mechanism could lead to malicious content being downloaded to user systems. The organization plans for secondary and tertiary proxies to be put in place and setup the solution so transfer of processing will occur in near real time if there is ever a problem with the primary. This not only allows continuity of operation for accessing Internet resources, but it also provides continuity of operations with respect to the protection provided by the proxy server’s categorization capability.
800-171 Description
800-171 Discussion
N/A
Other Source Discussion
CMMC This practice is about information system resilience, and requires that the organization take the actions necessary to ensure that the information security components continue to operate as needed to achieve business success and to ensure that the system’s part in protection of CUI is maintained. It should be noted that “as needed” and “the system’s part” may change if, as a result of stress, contingency business operations are conducted e.g., as part of the organization’s continuity of operations (COOP) planning. Note that redundancy is typically an aspect of resilience, yet is seldom sufficient as the means for achieving needed resilience.
CIS Control References
NIST 800-53 Control Ref.
NIST 800-53 Rev 4 CP-10
CMMC Derived
CMMC
NIST CSF Control References
NIST 800-171 References
Applicable FAR Clause
NIST CSF Control Reference
NIST CSF v1.1 PR.IP-9
CERT RMM Reference
CERT RMM v1.2 RRM:SG1.SP2