UCF STIG Viewer Logo



Number Title Impact Priority Subject Area
CP-8 Telecommunications Services MODERATE P1 Contingency Planning

The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of Assignment: organization-defined information system operations for essential missions and business functions within Assignment: organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.

CP-8 (1) Priority Of Service Provisions MODERATE
Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions.

The organization:

CP-8 (1)(a)

Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and

CP-8 (1)(b)

Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.

CP-8 (2) Single Points Of Failure MODERATE

The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

CP-8 (3) Separation Of Primary / Alternate Providers HIGH
Threats that affect telecommunications services are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber/physical attacks, and errors of omission/commission. Organizations seek to reduce common susceptibilities by, for example, minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services meeting the separation needs addressed in the risk assessment.

The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

CP-8 (4) Provider Contingency Plan HIGH
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training.

The organization:

CP-8 (4)(a)

Requires primary and alternate telecommunications service providers to have contingency plans;

CP-8 (4)(b)

Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and

CP-8 (4)(c)

Obtains evidence of contingency testing/training by providers Assignment: organization-defined frequency.

CP-8 (5) Alternate Telecommunication Service Testing

The organization tests alternate telecommunication services Assignment: organization-defined frequency.