1904 Contingency Planning Policy

Georgia State Seal

Department of Human Services
Online Directives Information System

Index:

POL1904

Revised:

06/02/2025

Next Review:

06/02/2027

Subject: DHS Information Security Policies

Policy

This policy establishes the Enterprise Contingency Planning Policy, for managing risks from information system disruptions, failures, and disasters through the establishment of an effective contingency planning program. The contingency planning program helps DHS implement security best practices with regards to enterprise business continuity and disaster recovery.

Authority

  1. United States Department of Commerce National Institute for Standards and Technology (NIST)

  2. United States Internal Revenue Service

  3. United States Department of Health & Human Services – Administration of Children and Families (ACF), Office of Child Support Services (OCSS)

  4. United States Department of Health & Human Services - Centers for Medicare & Medicaid Services (CMS)

  5. Georgia Technology Authority

  6. Social Security Administration

  7. Federal Bureau Investigation (Criminal Justice Information Services)

References

Applicability

The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by DHS. Any information, not specifically identified as the property of other parties, that is transmitted or stored on DHS IT resources (including email, messages, and files) is the property of DHS. All users (DHS employees, contractors, vendors, or others) of IT resources are responsible for adhering to this policy.

Definitions

Recover Time Objectives (RTO)

The target time you set for the recovery of your IT and business activities after a disaster has struck.

Recover Point Objectives (RPO)

The maximum targeted period in which data might be lost from an IT service due to a major incident.

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Responsibilities

DHS shall adopt the Contingency Planning principles established in NIST SP 800-34 “Contingency Planning Guide for Federal Information Systems,” as the official policy for this domain. The following subsections outline the Contingency Planning standards that constitute DHS policy. Each DHS Business System is then bound to this policy, and shall develop or adhere to a program plan which demonstrates compliance with the policy related to the standards documented.

CP-1 Contingency Planning Procedures

  1. Develop, document, and disseminate to designated agency personnel:

    1. All organizational level contingency planning policy that:

      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

    2. Procedures to facilitate the implementation of the contingency planning policy and the associated controls.

  2. Designate an agency official to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and

  3. Review and update the current contingency planning:

    1. Policy every one (1) year (or if there is a significant change); and

    2. Procedures every one (1) year, (or when there is a significant change).

CP-2 Contingency Plan

  1. Develop a contingency plan for the information system that:

    1. Identifies essential missions and business functions and associated contingency requirements;

    2. Provides recovery objectives, restoration priorities and metrics;

    3. Addresses contingency roles, responsibilities, assigned individuals with contact information;

    4. Addresses maintaining essential missions and business functions despite a system disruption, compromise, or failure;

    5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;

    6. Addresses the sharing of contingency information; and

    7. Is reviewed and approved by designated agency officials and other applicable agency stakeholders.

  2. Distributes copies of the contingency plan to key contingency personnel;

  3. Coordinate contingency planning activities with incident handling activities;

  4. Review the contingency plan for the information system at a minimum annually;

  5. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

  6. Communicate contingency plan changes to key contingency personnel;

  7. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and

  8. Protect the contingency plan from unauthorized disclosure and modification.

Coordinate contingency plan development with organizational elements responsible for related plans.

CP-2 (3) Resume Essential Missions and Business Functions:

Plan for the resumption of essential mission and business functions within an agency-defined specified time-period of contingency plan activation,

CP-2 (8) Identify Critical Assets:

Identify critical system assets supporting essential mission and business functions.

CP-3 Contingency Training

  1. Provide contingency training to system users consistent with assigned roles and responsibilities:

    1. Within 30 days of assuming a contingency role or responsibility;

    2. When required by system changes; and

    3. Annually thereafter; and

  2. Review and update contingency training content at least every one (1) year and following a significant change.

CP-4 Contingency Plan Testing

  1. Test the contingency plan for the system at a minimum, annually using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: In accordance with NIST SP 800-84 Guide to Test, Training, and Exercise Process for IT Plans and Capabilities, NIST SP-34 Contingency Planning Guide for Federal Information Systems and other applicable guidance, and Business-unit Defined Tests and Exercises; and

  2. Review the contingency plan test results; and

  3. Initiate corrective actions, if needed.

Coordinate contingency plan testing with organizational elements responsible for related plans.

CP-6 Alternate Storage Site

  1. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and

  2. Ensure that the alternate storage site provides controls equivalent to that of the primary site.

CP-6 (1) Separation from Primary Site:

Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.

CP-6 (3) Accessibility

Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.

CP-7 Alternate Processing Site

  1. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of system operations for essential mission and business functions within a time period consistent with recovery time and recovery point objectives (specified by the applicable system contingency plan or Continuity of Operations Plan (COOP) for the business function(s) supported by the system,when the primary processing capabilities are unavailable;

  2. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and

  3. Provide controls at the alternate processing site that are equivalent to those at the primary site

CP-7 (1) Separation From Primary Site:

Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.

CP-7 (2) Accessibility:

Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

CP 7 (3) Priority of Service:

Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).

CP-8 Telecommunications Services

Establish alternate telecommunications services, including necessary agreements to permit the resumption of system operations for essential mission and business functions within a specific time period defined by the Agency’s business leadership as specified in the applicable system contingency plan, Information System Contingency Plan (ISCP), Business Impact Analysis (BIA), or Continuity of Operations Plan (COOP) when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

CP-8 (1) Priority of Service Provisions

  1. Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and

  2. Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.

CP-8 (2) Single Points of Failure

Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

CP-9 Information System Backup

  1. Conduct backups of user-level information contained in system and security-related documentation consistent with:

    1. Daily Incremental backups and weekly full backups;

    2. Maintaining three (3) generations of backups, at least one (1) of which is available online (a full backup and all related incremental backups);

  2. Conduct backups of system-level information contained in the system consistent with:

    1. Daily Incremental backups and weekly full backups;

    2. Maintaining three (3) generations of backups, at least one (1) of which is available online (a full backup and all related incremental backups);

  3. Conduct backups of system documentation, including security-and privacy-related documentation consistent with:

    1. Daily Incremental backups and weekly full backups;

    2. Maintaining three (3) generations of backups, at least one (1) of which is available online (a full backup and all related incremental backups); and

  4. Protect the confidentiality, integrity, and availability of backup information.

CP-9 (1) Testing For Reliability And Integrity

Test backup information at a minimum every six (6) months to verify media reliability and information integrity.

CP-9 (8) Cryptographic Protection:

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of all backup information containing CUI.

CP-10 Information System Recovery and Reconstitution

Provide for the recovery and reconstitution of the system to a known state within agency-defined time period consistent with recovery time and recovery point objectives specified in the contingency plan, or COOP after a disruption, compromise, or failure.

CP-10 (2) Transaction Recovery:

Implement transaction recovery for systems that are transaction-based.

History

Date Change User Version

Evaluation

The Office of Information Technology (OIT), upon recommendation of the DHS Chief Information Security Officer (CISO), evaluates this policy annually by:

  1. Comparing its content and intent to evolving regulatory compliance standards imposed upon the Agency, such as, IRS 1075, NIST 800-53, and CMS MARS-E.

  2. Addressing any deficiencies or gaps discovered during periodic audits conducted by Georgia DOAA or other regulatory bodies, such as, IRS, CMS, SSA, FBI, etc.