NIST 800-53 r5 · Controls catalogue · Family CP

CP-2Contingency Plan

Develop a contingency plan for the system that: Identifies essential mission and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and metrics; Addresses contingency roles, responsibilities, assigned individuals with contact information; Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; Addresses the sharing of contingency information; and Is reviewed and approved by {{ insert: param, cp-2_prm_1 }}; Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }}; Coordinate contingency planning activities with incident handling activities; Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }}; Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }}; Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and Protect the contingency plan from unauthorized disclosure and modification.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

No implementations targeting this control yet.

ATT&CK techniques this control mitigates (9)

T1485 Data Destruction Impact
T1486 Data Encrypted for Impact Impact
T1490 Inhibit System Recovery Impact
T1491 Defacement Impact
T1491.001 Internal Defacement Impact
T1491.002 External Defacement Impact
T1561 Disk Wipe Impact
T1561.001 Disk Content Wipe Impact
T1561.002 Disk Structure Wipe Impact

Weaknesses this control addresses (3)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-200`	Exposure of Sensitive Information to an Unauthorized Actor	10,204	Mandates protection of the contingency plan against unauthorized disclosure, reducing exposure of sensitive recovery and operational information.
`CWE-284`	Improper Access Control	4,832	Requires protecting the contingency plan from unauthorized disclosure and modification, directly necessitating implementation of access controls on this critical document.
`CWE-693`	Protection Mechanism Failure	476	Requires planning for full restoration without deterioration of originally implemented controls, mitigating impact from protection mechanism failures during compromise or disruption.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family CP

CP-1 CP-10 CP-11 CP-12 CP-13 CP-3 CP-4 CP-5 CP-6 CP-7 CP-8 CP-9