BCD-05: Contingency Plan Root Cause Analysis (RCA) & Lessons Learned
Mechanisms exist to conduct a Root Cause Analysis (RCA) and "lessons learned" activity every time the contingency plan is activated.
Control Question: Does the organization conduct a Root Cause Analysis (RCA) and "lessons learned" activity every time the contingency plan is activated?
General (28)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC7.4-POF10 CC7.5 CC7.5-POF3 |
| COBIT 2019 | DSS04.08 |
| ENISA 2.0 | SO20 SO22 |
| GovRAMP Low | CP-04 |
| GovRAMP Low+ | CP-04 |
| GovRAMP Moderate | CP-04 |
| GovRAMP High | CP-04 |
| IMO Maritime Cyber Risk Management | 3.5.6.3 |
| NIST 800-53 R4 | CP-4 |
| NIST 800-53 R4 (low) | CP-4 |
| NIST 800-53 R4 (moderate) | CP-4 |
| NIST 800-53 R4 (high) | CP-4 |
| NIST 800-53 R5 (source) | CP-4 |
| NIST 800-53B R5 (low) (source) | CP-4 |
| NIST 800-53B R5 (moderate) (source) | CP-4 |
| NIST 800-53B R5 (high) (source) | CP-4 |
| NIST 800-82 R3 LOW OT Overlay | CP-4 |
| NIST 800-82 R3 MODERATE OT Overlay | CP-4 |
| NIST 800-82 R3 HIGH OT Overlay | CP-4 |
| NIST 800-161 R1 | CP-4 |
| NIST 800-161 R1 C-SCRM Baseline | CP-4 |
| NIST 800-161 R1 Level 2 | CP-4 |
| NIST 800-161 R1 Level 3 | CP-4 |
| NIST CSF 2.0 (source) | ID.IM-02 ID.IM-03 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | BCD-05 |
| SCF CORE ESP Level 1 Foundational | BCD-05 |
| SCF CORE ESP Level 2 Critical Infrastructure | BCD-05 |
| SCF CORE ESP Level 3 Advanced Threats | BCD-05 |
US (22)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | RESPONSE-4.O.MIL3 |
| US CERT RMM 1.2 | COMM:SG3.SP2 SC:SG5.SP2 SC:SG5.SP3 SC:SG5.SP4 SC:SG6.SP2 |
| US CMS MARS-E 2.0 | CP-4 |
| US FedRAMP R4 | CP-4 |
| US FedRAMP R4 (low) | CP-4 |
| US FedRAMP R4 (moderate) | CP-4 |
| US FedRAMP R4 (high) | CP-4 |
| US FedRAMP R4 (LI-SaaS) | CP-4 |
| US FedRAMP R5 (source) | CP-4 |
| US FedRAMP R5 (low) (source) | CP-4 |
| US FedRAMP R5 (moderate) (source) | CP-4 |
| US FedRAMP R5 (high) (source) | CP-4 |
| US FedRAMP R5 (LI-SaaS) (source) | CP-4 |
| US FFIEC | D5.IR.Pl.Int.4 |
| US HIPAA Administrative Simplification 2013 (source) | 164.308(a)(7)(ii)(D) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.308(a)(7)(ii)(D) |
| US IRS 1075 | CP-4 |
| US NERC CIP 2024 (source) | CIP-009-6 3.1.1 CIP-009-6 3.1.2 |
| US NISPOM 2020 | 8-615 |
| US - TX DIR Control Standards 2.0 | CP-4 |
| US - TX TX-RAMP Level 1 | CP-4 |
| US - TX TX-RAMP Level 2 | CP-4 |
EMEA (5)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.7.4(88) 3.7.4(90) |
| EMEA EU DORA | 13.2 13.2(a) 13.2(b) 13.2(c) 13.2(d) 13.3 |
| EMEA EU NIS2 Annex | 4.1.4 |
| EMEA Germany C5 2020 | BCM-04 |
| EMEA UK CAP 1850 | D2 |
APAC (4)
| Framework | Mapping Values |
|---|---|
| APAC India SEBI CSCRF | RC.IM.S1 RC.IM.S2 RS.AN.S4 RS.AN.S4a RS.AN.S4b RS.IM.S1 |
| APAC New Zealand HISF 2022 | HHSP64 HML63 HSUP56 |
| APAC New Zealand HISF Suppliers 2023 | HSUP56 |
| APAC Singapore MAS TRM 2021 | 7.8.1 7.8.2 7.8.3 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada CSAG | 5.9 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to conduct a Root Cause Analysis (RCA) and "lessons learned" activity every time the contingency plan is activated.
Level 1 — Performed Informally
Business Continuity & Disaster Recovery (BCD) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- IT personnel work with business stakeholders to identify business-critical systems and services, including internal teams and third-party service providers.
- IT personnel develop limited Disaster Recovery Plans (DRP) to recover business-critical systems and services.
- Business stakeholders develop limited Business Continuity Plans (BCPs) to ensure business-critical functions are sustainable both during and after an incident within Recovery Time Objectives (RTOs).
- Backups are performed ad-hoc and focus on business-critical systems.
- Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).
- Informal Root Cause Analysis (RCA) are performed to address insufficiencies in existing processes to prevent reoccurrences.
Level 2 — Planned & Tracked
Business Continuity & Disaster Recovery (BCD) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Business Continuity / Disaster Recovery (BC/DR) management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for BC/DR management.
- BC/DR roles are formally assigned as an additional duty to existing IT/cybersecurity personnel.
- Recovery Time Objectives (RTOs) identify business-critical systems and services, which are given priority of service in alternate processing and storage sites.
- IT personnel develop Disaster Recovery Plans (DRP) to recover business-critical systems and services.
- Data/process owners conduct a Business Impact Analysis (BIA) at least annually, or after any major technology or process change, to identify assets critical to the business in need of protection, as well as single points of failure.
- IT/cybersecurity personnel work with business stakeholders to develop Business Continuity Plans (BCPs) to ensure business functions are sustainable both during and after an incident within Recovery Time Objectives (RTOs).
- IT personnel use a backup methodology (e.g., grandfather, father & s on rotation) to store backups in a secondary location, separate from the primary storage site.
- IT personnel configure business-critical systems to transfer backup data to the alternate storage site at a rate that is capable of meeting Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
- A formal Root Cause Analysis (RCA) is performed that documents the findings in a report for both technical and business leadership management.
Level 3 — Well Defined
Business Continuity & Disaster Recovery (BCD) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- A formal Business Continuity & Disaster Recovery (BC/DR) program exists with defined roles and responsibilities to restore functionality in the event of a catastrophe, emergency, or significant disruptive incident that is handled in accordance with a Continuity of Operations Plan (COOP).
- BC/DR personnel work with business stakeholders to identify business-critical systems, services, internal teams and third-party service providers.
- Specific criteria are defined to initiate BC/DR activities that facilitate business continuity operations capable of meeting applicable RTOs and/or RPOs.- Application/system/process owners conduct a Business Impact Analysis (BIA) at least annually, or after any major technology or process change, to identify assets critical to the business in need of protection, as well as single points of failure.
- Recovery Time Objectives (RTOs) are defined for business-critical systems and services.
- Recovery Point Objectives (RPOs) are defined and technologies exist to conduct transaction-level recovery, in accordance with RPOs.
- Controls are assigned to sensitive/regulated assets to comply with specific BC/DR requirements to facilitate recovery operations in accordance with RTOs and RPOs.
- IT personnel work with business stakeholders to develop Disaster Recovery Plans (DRP) to recover business-critical systems and services within RPOs.
- Business stakeholders work with IT personnel to develop Business Continuity Plans (BCPs) to ensure business functions are sustainable both during and after an incident within RTOs.
- The data backup function is formally assigned with defined roles and responsibilities.
- BC/DR personnel have pre-established methods to communicate the status of recovery activities and progress in restoring operational capabilities to designated internal and external stakeholders.
- The integrity of backups and other restoration assets are verified prior to using them for restoration.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to conduct a Root Cause Analysis (RCA) and "lessons learned" activity every time the contingency plan is activated.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to conduct a Root Cause Analysis (RCA) and "lessons learned" activity every time the contingency plan is activated.
Assessment Objectives
- BCD-05_A01 the contingency plan test results are reviewed.
- BCD-05_A02 corrective actions to remediate contingency plan deficiencies are initiated, if needed.
Evidence Requirements
- E-BCM-04 COOP Root Cause Analysis (RCA)
-
Documented evidence of a Root Cause Analysis (RCA) from any Continuity of Operations Plan (COOP)-related training, testing or incident.
Business Continuity
Technology Recommendations
Micro/Small
- Root Cause Analysis (RCA) (After Action Review (AAR), lessons learned, etc.)
Small
- Root Cause Analysis (RCA) (After Action Review (AAR), lessons learned, etc.)
Medium
- Root Cause Analysis (RCA) (After Action Review (AAR), lessons learned, etc.)
Large
- Root Cause Analysis (RCA) (After Action Review (AAR), lessons learned, etc.)
Enterprise
- Root Cause Analysis (RCA) (After Action Review (AAR), lessons learned, etc.)