Draft Contingency Planning Guide: NIST SP 800-34 Rev 1 by M. E. Kabay, PhD, CISSP-ISSMP Associate Professor of Information Assurance School of Business & Management Norwich University, Northfield VT On Oct 27, 2009, the National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) Computer Security Division (CSD) published Special Publication (SP) 800-34 Revision (Rev) 1, “DRAFT Contingency Planning Guide for Federal Information Systems” < http://csrc.nist.gov/publications/drafts/800-34-rev1/draft_sp-800-34-rev1.pdf > and requested comments < mailto:draft800-34-comments@nist.gov > from readers by January 6, 2010. The official announcement < http://csrc.nist.gov/publications/PubsDrafts.html > described the SP as follows: SP 800-34 Revision 1 is intended to help organizations by providing instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures to recover information system services after a disruption. The guide defines a seven-step contingency planning process that an organization may apply to develop and maintain a viable contingency planning program for their information systems. The guide also presents three sample formats for developing an information system contingency plan based on low, moderate, or high impact level, as defined by Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems. Despite the inclusion of “for Federal Information Systems” in the title, SP 800-34 Rev 1 has a great deal of value for all information assurance and business continuity specialists. Authors Marianne Swanson, Pauline Bowen, Amy Wohl Phillips, Dean Gallup, and David Lynes include two of the six authors of the June 2002 original version of SP 800-34 (Marianne Swanson, Amy Wohl, Lucinda Pope, Tim Grance, Joan Hash and Ray Thomas) and have, as usual for NIST ITL CSD, done a superb job of preparing a framework that lays out a sound basis for business continuity planning (BCP). The 150 page SP begins with an introduction presenting the purpose, scope and audience for 800-34 Rev 1. Page 13 of the PDF file describes the purpose as providing “guidelines to individuals responsible for preparing and maintaining information system contingency plans (ISCPs). The document discusses essential contingency plan elements and processes, highlights specific considerations and concerns associated with contingency planning for various types of information system platforms, and provides examples to assist readers in developing their own ISCPs.” This document explicitly excludes discussion of disaster recovery. The scope is defined as “recommended guidelines for federal organizations”(p 14) and the audience is “managers within federal organizations and those individuals responsible for information systems or security at system and operational levels. It is also written to assist emergency management personnel who coordinate facility-level contingencies with supporting information system contingency planning activities.”(p 15) However, references to Federal Information Processing Standards (FIPS)< http://csrc.nist.gov/publications/PubsFIPS.html > in no way prevents the guidelines from serving organizations outside the US federal government. Indeed, the authors write, “The concepts presented in this document are specific to government systems, but may be used by private and commercial organizations, including contractor systems.” They then list a wide range of specific job titles of people likely to find the document useful, including information technology (IT) managers, Chief Information Officers (CIOs), systems engineers, and system architects. The authors describe the structure of the document clearly as follows (p16): Section 2, Background, provides background information about contingency planning, including the purpose of various security and emergency management-related plans, their relationships to ISCPs, and how the plans are integrated into an organization’s overall resilience strategy by implementing the six steps of the Risk Management Framework (RMF)…. Section 3, Information System Contingency Planning Process, details the fundamental planning principles necessary for developing an effective contingency capability. The principles outlined in this section are applicable to all information systems. This section presents contingency planning guidelines for all elements of the planning cycle, including business impact analysis, alternate site selection, and recovery strategies. The section also discusses the development of contingency plan teams and the roles and responsibilities commonly assigned to personnel during plan activation. Section 4, Information System Contingency Plan Development, breaks down the activities necessary to document the contingency strategy and develop the ISCP. Maintaining, testing, training, and exercising the contingency plan are also discussed in this section. Section 5, Technical Contingency Planning Considerations, describes contingency planning concerns specific to the information systems listed in Section 1.3, Scope. This section helps contingency planners identify, select, and implement the appropriate technical contingency measures for their given systems. The nine appendices provide practical templates and checklists of great utility in BCP. There is so much valuable information here that is offered in a structured, clear presentation that every IA professional concerned with BCP should read – and, I hope, comment on – this draft publication. *** M. E. Kabay, PhD, CISSP-ISSMP < mailto:mekabay@gmail.com > specializes in security and operations management consulting services. CV online.< http://www.mekabay.com/cv/ > Copyright 2009 M. E. Kabay. All rights reserved. Permission is hereby granted to Network World to distribute this article at will, to post it without limit on any Web site, and to republish it in any way they see fit.