Back to Control Explorer



Control Acronym




CMMC Level


800-171 Control #


CMMC Description

Ensure information processing facilities meet organizationally defined information security continuity, redundancy, and availability requirements.

CMMC Clarification

This practice requires an organization to do what is needed in order for their cybersecurity solutions to continue to function under stress or attack. This means that even if a solution that helps protect the environment has a failure, then other mechanisms will fill in the gap in order for the functionality to continue. Redundant components can help with this as well as proper planning and implementation. If a firewall fails, make sure another firewall can take its place, or the environment should fail closed preventing traffic from passing until the problem can be fixed. By having redundancy in place, an organization may continue operations with confidence knowing their cyber security mission is functioning properly, and the components will continue to operate properly even when failures may be taking place. Example 1 An environment has a log collection server in place for collecting end-point logs from across the enterprise. Knowing this could be a catastrophic problem if the log collection system goes down, the organization plans and creates a clone of the primary log server and has setup the environment to perform automated switch over in case the primary server goes down. This will allow the organization to continue to collect logs, perform analysis, and act on incidents that happen during the time the primary server is down. Example 2 A proxy server that is used to protect an organization against malicious websites by utilization of website categorization is setup by the IT department. If this solution goes down, the company will need to shutoff communication to the Internet or allow people to browse websites without use of the categorization for protection. Loss of this protection mechanism could lead to malicious content being downloaded to user systems. The organization plans for secondary and tertiary proxies to be put in place and setup the solution so transfer of processing will occur in near real time if there is ever a problem with the primary. This not only allows continuity of operation for accessing Internet resources, but it also provides continuity of operations with respect to the protection provided by the proxy server’s categorization capability.

800-171 Description

800-171 Discussion


Other Source Discussion

CMMC This practice is about information system resilience, and requires that the organization take the actions necessary to ensure that the information security components continue to operate as needed to achieve business success and to ensure that the system’s part in protection of CUI is maintained. It should be noted that “as needed” and “the system’s part” may change if, as a result of stress, contingency business operations are conducted e.g., as part of the organization’s continuity of operations (COOP) planning. Note that redundancy is typically an aspect of resilience, yet is seldom sufficient as the means for achieving needed resilience.

CIS Control References

NIST 800-53 Control Ref.

NIST 800-53 Rev 4 CP-10

CMMC Derived


NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference


CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15