BCD-01.4: Recovery Time / Point Objectives (RTO / RPO)
Mechanisms exist to facilitate recovery operations in accordance with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
Control Question: Does the organization facilitate recovery operations in accordance with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)?
General (23)
| Framework | Mapping Values |
|---|---|
| GovRAMP Core | CP-10 |
| GovRAMP Low | CP-10 |
| GovRAMP Low+ | CP-10 |
| GovRAMP Moderate | CP-10 |
| GovRAMP High | CP-06(02) CP-10 |
| IMO Maritime Cyber Risk Management | 3.5.6.1 |
| MPA Content Security Program 5.1 | OR-3.4 |
| NIST 800-53 R4 | CP-6(2) CP-10 |
| NIST 800-53 R4 (low) | CP-10 |
| NIST 800-53 R4 (moderate) | CP-10 |
| NIST 800-53 R4 (high) | CP-6(2) CP-10 |
| NIST 800-53 R5 (source) | CP-6(2) CP-10 |
| NIST 800-53B R5 (low) (source) | CP-10 |
| NIST 800-53B R5 (moderate) (source) | CP-10 |
| NIST 800-53B R5 (high) (source) | CP-6(2) CP-10 |
| NIST 800-82 R3 LOW OT Overlay | CP-10 |
| NIST 800-82 R3 MODERATE OT Overlay | CP-10 |
| NIST 800-82 R3 HIGH OT Overlay | CP-6(2) CP-10 |
| NIST CSF 2.0 (source) | RC.RP RC.RP-02 RC.RP-04 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | BCD-01.4 |
| SCF CORE ESP Level 1 Foundational | BCD-01.4 |
| SCF CORE ESP Level 2 Critical Infrastructure | BCD-01.4 |
| SCF CORE ESP Level 3 Advanced Threats | BCD-01.4 |
US (6)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | RESPONSE-4.G.MIL2 |
| US FedRAMP R4 | CP-6(2) |
| US FedRAMP R4 (high) | CP-6(2) |
| US FedRAMP R5 (source) | CP-6(2) |
| US FedRAMP R5 (high) (source) | CP-6(2) |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.16(a)(2)(v) |
EMEA (4)
| Framework | Mapping Values |
|---|---|
| EMEA EU DORA | 12.6 |
| EMEA EU NIS2 Annex | 4.1.2(f) 4.2.2(a) |
| EMEA Germany C5 2020 | OPS-06 OPS-08 OPS-09 |
| EMEA Saudi Arabia ECC-1 2018 | 2-9-3-2 |
APAC (7)
| Framework | Mapping Values |
|---|---|
| APAC Australia Essential 8 | ML1-P8 ML2-P8 ML3-P8 |
| APAC Australia ISM June 2024 | ISM-1810 |
| APAC Australia Prudential Standard CPS230 | 38(a) 38(b) 38(c) 39 |
| APAC India SEBI CSCRF | RC.RP.S2 |
| APAC New Zealand HISF 2022 | HHSP24 HML24 HSUP22 |
| APAC New Zealand HISF Suppliers 2023 | HSUP22 |
| APAC Singapore MAS TRM 2021 | 8.1.4 8.2.1 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada OSFI B-13 | 2.9 2.9.1 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to facilitate recovery operations in accordance with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to facilitate recovery operations in accordance with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to facilitate recovery operations in accordance with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
Level 3 — Well Defined
Business Continuity & Disaster Recovery (BCD) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- A formal Business Continuity & Disaster Recovery (BC/DR) program exists with defined roles and responsibilities to restore functionality in the event of a catastrophe, emergency, or significant disruptive incident that is handled in accordance with a Continuity of Operations Plan (COOP).
- BC/DR personnel work with business stakeholders to identify business-critical systems, services, internal teams and third-party service providers.
- Specific criteria are defined to initiate BC/DR activities that facilitate business continuity operations capable of meeting applicable RTOs and/or RPOs.- Application/system/process owners conduct a Business Impact Analysis (BIA) at least annually, or after any major technology or process change, to identify assets critical to the business in need of protection, as well as single points of failure.
- Recovery Time Objectives (RTOs) are defined for business-critical systems and services.
- Recovery Point Objectives (RPOs) are defined and technologies exist to conduct transaction-level recovery, in accordance with RPOs.
- Controls are assigned to sensitive/regulated assets to comply with specific BC/DR requirements to facilitate recovery operations in accordance with RTOs and RPOs.
- IT personnel work with business stakeholders to develop Disaster Recovery Plans (DRP) to recover business-critical systems and services within RPOs.
- Business stakeholders work with IT personnel to develop Business Continuity Plans (BCPs) to ensure business functions are sustainable both during and after an incident within RTOs.
- The data backup function is formally assigned with defined roles and responsibilities.
- BC/DR personnel have pre-established methods to communicate the status of recovery activities and progress in restoring operational capabilities to designated internal and external stakeholders.
- The integrity of backups and other restoration assets are verified prior to using them for restoration.
Level 4 — Quantitatively Controlled
Business Continuity & Disaster Recovery (BCD) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to facilitate recovery operations in accordance with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
Assessment Objectives
- BCD-01.4_A01 time period consistent with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for the recovery of the system is determined.
- BCD-01.4_A02 the alternate storage site is configured to facilitate recovery operations in accordance with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
- BCD-01.4_A03 time period consistent with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for the reconstitution of the system is determined.
- BCD-01.4_A04 the recovery of the system to a known state is provided within a specified time period after a disruption, compromise or failure.
- BCD-01.4_A05 a reconstitution of the system to a known state is provided within an organization-defined time period after a disruption, compromise or failure.
Evidence Requirements
- E-BCM-02 Recovery Time Objectives (RTOs)
-
Documented evidence of Recovery Time Objectives (RTOs) that guide Continuity of Operations Plan (COOP)-related operations.
Business Continuity - E-BCM-03 Recovery Point Objectives (RPOs)
-
Documented evidence of Recovery Point Objectives (RPOs) that guide Continuity of Operations Plan (COOP)-related operations.
Business Continuity
Technology Recommendations
Micro/Small
- Continuity of Operations Plan (COOP)
- Business Continuity Plan (BCP)
- Disaster Recovery Plan (DRP)
- Recovery Time Objectives (RTOs)
- Recovery Point Objectives (RPOs)
Small
- Continuity of Operations Plan (COOP)
- Business Continuity Plan (BCP)
- Disaster Recovery Plan (DRP)
- Recovery Time Objectives (RTOs)
- Recovery Point Objectives (RPOs)
Medium
- Continuity of Operations Plan (COOP)
- Business Continuity Plan (BCP)
- Disaster Recovery Plan (DRP)
- Recovery Time Objectives (RTOs)
- Recovery Point Objectives (RPOs)
Large
- Continuity of Operations Plan (COOP)
- Business Continuity Plan (BCP)
- Disaster Recovery Plan (DRP)
- Recovery Time Objectives (RTOs)
- Recovery Point Objectives (RPOs)
Enterprise
- Continuity of Operations Plan (COOP)
- Business Continuity Plan (BCP)
- Disaster Recovery Plan (DRP)
- Recovery Time Objectives (RTOs)
- Recovery Point Objectives (RPOs)