📢 New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First · 📝 Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June · 🚦 Beacon — the FedRAMP 20x KSI emitter — design partners open ✨ · 🆕 20x Hub: program reference, kept current · 🧪 Free tool: KSI Quick Check — paste, run, get the verdict

FedRAMP Controls / CP

CP-3 Contingency Training

Family CP
Baselines moderate
Mapped KSIs 1

Control statement

a. Provide contingency training to system users consistent with assigned roles and responsibilities:
        1. Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;
        2. When required by system changes; and
        3.  {{ insert: param, cp-03_odp.02 }} thereafter; and
    b. Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}.
        (a) Requirement: Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact.

Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is preserved in the catalog database.

Covered by these Key Security Indicators

KSITitleCategory
KSI-CED-03Development and Engineering Training
_Persistently_ review the effectiveness of role-specific training given to development and engineering staff that covers best practices for delivering secure software.
Cybersecurity Education