STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub·STIGs updated 2 days ago
Powered by Pylon·© 2026 Beacon Cloud Solutions, Inc.
← Back to Traditional Security Checklist

V-245773

CAT III (Low)

Information Assurance - COOP Plan or Testing (Incomplete)

Rule ID

SV-245773r1138488_rule

STIG

Traditional Security Checklist

Version

V2R8

CCIs

None

Discussion

Failure to develop a COOP and test it periodically can result in the partial or total loss of operations and INFOSEC. A contingency plan is necessary to reduce mission impact in the event of system compromise or disaster. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, Paragraphs 15 & 32 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: CP-2, CP-2(1) through CP-2(8), CP-4, CP-4(1) through CP-4(4), CP-6, CP-7, CP-9, MA-6 DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 3. DODD 3020.26, SUBJECT: Department of Defense Continuity Programs, January 9, 2009 DODI 3020.42, SUBJECT: Defense Continuity Plan Development, February 17, 2006 Implementation of DOD Continuity Strategy - Deputy Secretary of Defense, 25 May 07 National Security Presidential Directive (NSPD) 51 / Homeland Security Presidential Directive (HSPD) 20 - National Continuity Policy, 9 May 07 Federal Continuity Directives 1 Oct 12 and 2 Jul 13, Federal Executive Branch National Continuity Program and Requirements. NIST Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010 32 CFR 117 and 32 CFR 2001 and 2003 as well as DOD Manual 5200.32 Volume 1

Check Content

This check is for when a reviewer finds that a COOP process is well established within the inspected organization, but it does not include a minority of systems, requirements, or testing of all systems, for which the risk of having no COOP or testing was not accepted by the Authorizing official (AO) in a holistic risk assessment for the organization.

NOTES: 

1. This finding/VUL is only applicable when some of the site/organization systems are connected to the DODIN and do not have a COOP and/or the COOP is not tested and the risk for not having a COOP and/or documented testing is not accepted by the AO in a holistic risk assessment document. 

2. If this finding/VUL is used, IA-02.02.01 is NA. 

3. This VUL is applicable in a tactical environment if it involves a fixed facility as previously described.

Fix Text

ALL systems connected to the DODIN must be included in the enclave COOP documentation and testing. If it is determined that some (a portion of the systems on site) of the site/organization systems connected to the DODIN do not need to be included in the COOP (plan and/or testing) then the risk for this must specifically be accepted by the AO in a holistic risk assessment document.