NIST 800-53 REV 5 • CONTINGENCY PLANNING

CP-4(5)Self-challenge

Employ {{ insert: param, cp-04.05_odp.01 }} to {{ insert: param, cp-04.05_odp.02 }} to disrupt and adversely affect the system or system component.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Often, the best method of assessing system resilience is to disrupt the system in some manner. The mechanisms used by the organization could disrupt system functions or system services in many ways, including terminating or disabling critical system components, changing the configuration of system components, degrading critical functionality (e.g., restricting network bandwidth), or altering privileges. Automated, on-going, and simulated cyber-attacks and service disruptions can reveal unexpected functional dependencies and help the organization determine its ability to ensure resilience in the face of an actual cyber-attack.

Practitioner Notes

This enhancement requires your organization to challenge itself by simulating disruptions to test resilience — proactively breaking things to find weaknesses before real disasters do.

Example 1: Implement a chaos engineering practice using tools like Azure Chaos Studio to randomly disrupt services in a controlled way and validate your recovery.

Example 2: Conduct unannounced contingency tests where IT leadership simulates a system failure without advance warning to staff, testing their ability to respond under realistic conditions.

More Contingency Planning Controls

CP-1 Policy and Procedures CP-2 Contingency Plan CP-2(1) Coordinate with Related Plans CP-2(2) Capacity Planning