NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-47 — Alternate Communications Paths
Establish {{ insert: param, sc-47_odp }} for system operations organizational command and control.
Supplemental Guidance
An incident, whether adversarial- or nonadversarial-based, can disrupt established communications paths used for system operations and organizational command and control. Alternate communications paths reduce the risk of all communications paths being affected by the same incident. To compound the problem, the inability of organizational officials to obtain timely information about disruptions or to provide timely direction to operational elements after a communications path incident, can impact the ability of the organization to respond to such incidents in a timely manner. Establishing alternate communications paths for command and control purposes, including designating alternative decision makers if primary decision makers are unavailable and establishing the extent and limitations of their actions, can greatly facilitate the organization’s ability to continue to operate and take appropriate actions during an incident.
Practitioner Notes
Maintain alternate communication paths so you can still communicate during an incident even if your primary network is compromised or unavailable.
Example 1: Establish an out-of-band communication plan using cell phones with an encrypted messaging app (Signal) for your incident response team. If your corporate email and chat are compromised, the team can still coordinate response actions securely.
Example 2: Maintain a cellular hotspot and a backup ISP connection that are independent of your primary internet connection. If a DDoS attack takes down your primary connection, you can still access critical cloud services and communicate with stakeholders through the alternate path.