Contingency Planning Policy and Procedures
Contingency Planning Policy for 18F
Agency Contingency planning policy
Contingency Planning policies and procedures is a common control provided by GSA Information Security Policy and Compliance Division (ISP) of the OCISO. Contingency Planning Policy is included in CIO P 2100.1 - GSA IT Security Policy, Chapter 4. Policy on Operational Controls. It states, "Contingency planning focuses on the recovery and restoration of an IT system following a disruption. The contingency plan supports the agency Continuity of Operations Plan (COOP) required by HSPD-20, “National Continuity Policy,” ensuring that Primary Mission-Essential Functions continue to be performed during a wide range of emergencies. Contingency and continuity of support plans must be developed and tested annually for all IT systems in accordance with OMB Circular No. A-130, NIST SP 800-34, “Contingency Planning Guide for Information Technology Systems"
GSA OCISO ISP also defined agency-wide contingency planning procedures in IT Security Procedural Guide: Contingency Planning (CIO-IT Security-06-29)
System Specific Expectation for Vendor/Contractor Operated System Systems:
The 18F Program Office develops, documents, and disseminates to all 18F staff The 18F configuration management policy which addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance and procedures to facilitate the implementation of the Contingency Planning policy and associated controls. The 18F Contingency Planning policy is listed within its private GitHub repository https://github.com/18F/compliance-docs/blob/master/CP-Policy.md that is accessible to all 18F staff.
Agecy CP Policy
The GSA Office of the CISO is responsible for reviewing and updating the above documents annually, and notifying System Program Managers and Information System Security Officers and Managers (ISSO/Ms).
The 18F Program Office will review and update the current 18F Contingency Planning policy at least every 3 years and any documented configuration procedures at least annually.