Draft Contingency Planning Guide:
NIST SP 800-34 Rev 1
by M. E. Kabay, PhD, CISSP-ISSMP
Associate Professor of Information Assurance
School of Business & Management
Norwich University, Northfield VT
On Oct 27, 2009, the National Institute of Standards and Technology (NIST) Information
Technology Laboratory (ITL) Computer Security Division (CSD) published Special Publication
(SP) 800-34 Revision (Rev) 1, “DRAFT Contingency Planning Guide for Federal Information
Systems” < http://csrc.nist.gov/publications/drafts/800-34-rev1/draft_sp-800-34-rev1.pdf > and
requested comments < mailto:draft800-34-comments@nist.gov > from readers by January 6,
2010.
The official announcement < http://csrc.nist.gov/publications/PubsDrafts.html > described the SP
as follows:
SP 800-34 Revision 1 is intended to help organizations by providing instructions,
recommendations, and considerations for federal information system contingency
planning. Contingency planning refers to interim measures to recover information system
services after a disruption. The guide defines a seven-step contingency planning process
that an organization may apply to develop and maintain a viable contingency planning
program for their information systems. The guide also presents three sample formats for
developing an information system contingency plan based on low, moderate, or high
impact level, as defined by Federal Information Processing Standard (FIPS) 199,
Standards for Security Categorization of Federal Information and Information Systems.
Despite the inclusion of “for Federal Information Systems” in the title, SP 800-34 Rev 1 has a
great deal of value for all information assurance and business continuity specialists.
Authors Marianne Swanson, Pauline Bowen, Amy Wohl Phillips, Dean Gallup, and David Lynes
include two of the six authors of the June 2002 original version of SP 800-34 (Marianne
Swanson, Amy Wohl, Lucinda Pope, Tim Grance, Joan Hash and Ray Thomas) and have, as
usual for NIST ITL CSD, done a superb job of preparing a framework that lays out a sound basis
for business continuity planning (BCP).
The 150 page SP begins with an introduction presenting the purpose, scope and audience for
800-34 Rev 1. Page 13 of the PDF file describes the purpose as providing “guidelines to
individuals responsible for preparing and maintaining information system contingency plans
(ISCPs). The document discusses essential contingency plan elements and processes, highlights
specific considerations and concerns associated with contingency planning for various types of
information system platforms, and provides examples to assist readers in developing their own
ISCPs.” This document explicitly excludes discussion of disaster recovery.
The scope is defined as “recommended guidelines for federal organizations”(p 14) and the
audience is “managers within federal organizations and those individuals responsible for
information systems or security at system and operational levels. It is also written to assist
emergency management personnel who coordinate facility-level contingencies with supporting
information system contingency planning activities.”(p 15) However, references to Federal
Information Processing Standards (FIPS)< http://csrc.nist.gov/publications/PubsFIPS.html > in
no way prevents the guidelines from serving organizations outside the US federal government.
Indeed, the authors write, “The concepts presented in this document are specific to government
systems, but may be used by private and commercial organizations, including contractor
systems.” They then list a wide range of specific job titles of people likely to find the document
useful, including information technology (IT) managers, Chief Information Officers (CIOs),
systems engineers, and system architects.
The authors describe the structure of the document clearly as follows (p16):

Section 2, Background, provides background information about contingency planning,
including the purpose of various security and emergency management-related plans, their
relationships to ISCPs, and how the plans are integrated into an organization’s overall
resilience strategy by implementing the six steps of the Risk Management Framework
(RMF)….

Section 3, Information System Contingency Planning Process, details the fundamental
planning principles necessary for developing an effective contingency capability. The
principles outlined in this section are applicable to all information systems. This section
presents contingency planning guidelines for all elements of the planning cycle, including
business impact analysis, alternate site selection, and recovery strategies. The section also
discusses the development of contingency plan teams and the roles and responsibilities
commonly assigned to personnel during plan activation.

Section 4, Information System Contingency Plan Development, breaks down the
activities necessary to document the contingency strategy and develop the ISCP.
Maintaining, testing, training, and exercising the contingency plan are also discussed in
this section.

Section 5, Technical Contingency Planning Considerations, describes contingency
planning concerns specific to the information systems listed in Section 1.3, Scope. This
section helps contingency planners identify, select, and implement the appropriate
technical contingency measures for their given systems.
The nine appendices provide practical templates and checklists of great utility in BCP.
There is so much valuable information here that is offered in a structured, clear presentation that
every IA professional concerned with BCP should read – and, I hope, comment on – this draft
publication.
***
M. E. Kabay, PhD, CISSP-ISSMP < mailto:mekabay@gmail.com > specializes in security and
operations management consulting services. CV online.< http://www.mekabay.com/cv/ >
Copyright  2009 M. E. Kabay. All rights reserved.
Permission is hereby granted to Network World to distribute this article at will, to post it without
limit on any Web site, and to republish it in any way they see fit.