STIGQter STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020:

Information Assurance - COOP Plan and Testing (Not in Place for Information Technology Systems or Not Considered in the organizational Holistic Risk Assessment)

DISA Rule

SV-41043r3_rule

Vulnerability Number

V-30997

Group Title

Information Assurance - COOP Plan and Testing

Rule Version

IA-02.02.01

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Continuity of Operations Plans (COOP) must be developed and tested for ALL DoDIN connected systems to ensure system and data availability in the event of any type of failure. If no COOP is in place ensure the risk has been (specifically for lack of a COOP) accepted by the responsible Authorizing Official (AO) in a Holistic Risk Assessment of the organization.

Check Contents

Check there is a written COOP plan for inspected information technology systems:

1. If a COOP or Disaster Recovery Plan is not in place, ensure the AO has considered and accepted the risk (specifically for lack of COOP) from a Holistic Risk Assessment of the organization.

2. Check COOP documentation to ensure the plan is tested at least annually. Also check for discrepancies noted during the tests and if corrective action has been taken.

3. Conduct a cursory review of the COOP to ensure it is commensurate for COOP of IT systems as detailed within the risk assessment concerning recovery times and testing requirement(s).

NOTES:

1. Certain large computing centers like the DISA Computing Services (DECCs) may offer COOP as a fee for service option. Since this is applicable to "customer" applications it should not be a finding attributed to the DECC. If appropriate, COOP or lack thereof if cited as a finding in this instance should be attributed to the specific customer.

2. This requirement should not be applied to a tactical environment, unless it is a fixed computer facility supporting operations within a Theater of Operations. The standards to be applied for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over 1-year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc.

Vulnerability Number

V-30997

Documentable

False

Rule Version

IA-02.02.01

Severity Override Guidance

Check there is a written COOP plan for inspected information technology systems:

1. If a COOP or Disaster Recovery Plan is not in place, ensure the AO has considered and accepted the risk (specifically for lack of COOP) from a Holistic Risk Assessment of the organization.

2. Check COOP documentation to ensure the plan is tested at least annually. Also check for discrepancies noted during the tests and if corrective action has been taken.

3. Conduct a cursory review of the COOP to ensure it is commensurate for COOP of IT systems as detailed within the risk assessment concerning recovery times and testing requirement(s).

NOTES:

1. Certain large computing centers like the DISA Computing Services (DECCs) may offer COOP as a fee for service option. Since this is applicable to "customer" applications it should not be a finding attributed to the DECC. If appropriate, COOP or lack thereof if cited as a finding in this instance should be attributed to the specific customer.

2. This requirement should not be applied to a tactical environment, unless it is a fixed computer facility supporting operations within a Theater of Operations. The standards to be applied for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over 1-year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc.

Check Content Reference

M

Target Key

2506

Comments