|CP-8 (1) Priority Of Service Provisions ||MODERATE |
Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions.
The organization: CP-8 (1)(a)
Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and CP-8 (1)(b)
Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.
|CP-8 (2) Single Points Of Failure ||MODERATE |
The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.
|CP-8 (3) Separation Of Primary / Alternate Providers ||HIGH |
Threats that affect telecommunications services are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber/physical attacks, and errors of omission/commission. Organizations seek to reduce common susceptibilities by, for example, minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services meeting the separation needs addressed in the risk assessment.
The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.
|CP-8 (4) Provider Contingency Plan ||HIGH |
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training.
The organization: CP-8 (4)(a)
Requires primary and alternate telecommunications service providers to have contingency plans; CP-8 (4)(b)
Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and CP-8 (4)(c)
Obtains evidence of contingency testing/training by providers Assignment: organization-defined frequency.
|CP-8 (5) Alternate Telecommunication Service Testing || |
The organization tests alternate telecommunication services Assignment: organization-defined frequency.