A&A Upcoming Deadline – Contingency Plan Testing

This message is to provide an update of activities involving the Science and Support System (S&SS).

The Information Security Office is coordinating an FY15 Information Technology Security Activities memo to be distributed in the next few weeks to Information System Owners, Science Center Directors and Program Managers.   In order to provide as much time as possible to complete the first few activities, the following guidance and targeted dates for completion are being provided in advance of the memo to all Information System Security Officers (ISSO) and Asset Security Managers regarding i) Information System Contingency Plan (ISCP) updates and ii) Contingency Plan (CP) Testing and Exercises.

As in previous fiscal years, completion of activities will be tracked through the Continuous Monitoring dashboard at http://internal.usgs.gov/oei/security/continuous_monitoring.html.

Contingency Plan Testing and Exercises:

1. Identify Participants for the CP Test/Exercise

All individuals identified with an assigned role or responsibility in the ISCP should be included as a participant in the exercise.   Participation in the exercise will satisfy that individual’s requirement for annual contingency training (see note below on training).

2. Prepare a CP Test/Exercise plan

All moderate impact Systems and Assets must conduct a functional exercise (test).  A tabletop exercise or simulation is not acceptable.  The exercise plan should include an element of system recovery from backup media.

Additionally, NIST SP 800-34 Rev1 “Contingency Planning for Federal Information Systems“, recommends the following areas be included in exercises, as applicable:

• Notification Procedures
• System recovery on an alternate platform from backup media
• Internal and external connectivity
• System performance using alternate equipment
• Restoration of normal operations
• Other plan testing (where coordination is identified, i.e., COOP, BCP)

3. Schedule and conduct CP Test/Exercise with participants

If actual events have occurred during FY14 that exercised the areas of the CP Test/Exercise plan from step 2 (above), the CP Test/Exercise can be considered as complete.  An additional test/exercise does not have to be performed.  However, the results must be documented in a CP Test Report as described in step 4 (below).

4. Document Test/Exercise Results

After the test/exercise, complete a CP Test Report. The report must include the following elements:

• Introduction (Description of the test, date performed)
• Participants (Listing of who participated, including role and responsibility)
• Outcome (What happened during the test?)
• Lessons Learned (What may need to be updated in the Contingency Plan as a result of the test?)

A CP Test Report Template is available at http://internal.usgs.gov/oei/security/USGS_ISCP_Test_Report_Template_v1.0.doc.

5. Upload the completed CP Test Report to your System or Asset “FY2015 SOP” folder on the A&A SharePoint Portal by December 19, 2014

Note:  Contingency Training is an annual requirement.   If an individual identified with an assigned role and/or responsibility in the ISCP is unable to participate in the test/exercise, this requirement can be satisfied by reviewing the most recent FY15 CP Test Report AND sending an email to the ISSO or Asset Security Manager stating they have reviewed the report and accept their CP role and/or responsibility.