NIST 800-53 REV 5 • CONTINGENCY PLANNING

CP-8(3)Separation of Primary and Alternate Providers

Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Threats that affect telecommunications services are defined in organizational assessments of risk and include natural disasters, structural failures, cyber or physical attacks, and errors of omission or commission. Organizations can reduce common susceptibilities by minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services that meet the separation needs addressed in the risk assessment.

Practitioner Notes

This enhancement requires your primary and alternate telecommunications providers to be different companies — or at least use different infrastructure — to avoid a single provider failure taking down both.

Example 1: Use two different ISPs (e.g., AT&T fiber and Comcast cable) rather than two circuits from the same provider, which might share the same backbone infrastructure.

Example 2: For your alternate site, contract with a local ISP that uses completely different backbone infrastructure than your primary site's provider.

More Contingency Planning Controls

CP-1 Policy and Procedures CP-2 Contingency Plan CP-2(1) Coordinate with Related Plans CP-2(2) Capacity Planning