📢 New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First · 📝 Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June · 🚦 Beacon — the FedRAMP 20x KSI emitter — design partners open ✨ · 🆕 20x Hub: program reference, kept current · 🧪 Free tool: KSI Quick Check — paste, run, get the verdict

FedRAMP Controls / CP

CP-2 Contingency Plan

Family CP
Baselines moderate
Mapped KSIs 1

Control statement

a. Develop a contingency plan for the system that:
        1. Identifies essential mission and business functions and associated contingency requirements;
        2. Provides recovery objectives, restoration priorities, and metrics;
        3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
        4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;
        5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;
        6. Addresses the sharing of contingency information; and
        7. Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};
    b. Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};
    c. Coordinate contingency planning activities with incident handling activities;
    d. Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};
    e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
    f. Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};
    g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and
    h. Protect the contingency plan from unauthorized disclosure and modification.
        Requirement: For JAB authorizations the contingency lists include designated FedRAMP personnel.
        Requirement: CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx).

Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is preserved in the catalog database.

Covered by these Key Security Indicators

KSITitleCategory
KSI-RPL-02Recovery Plan
_Persistently_ review the alignment of recovery plans with defined recovery objectives.
Recovery Planning