C.2.4.1 - Contingency planning
Contingency planning involves the actions required to plan for, respond to, and mitigate damaging events.
The recommended provisional security categorization for the contingency planning information type is as follows:
Security category
Confidentiality Moderate
The confidentiality impact level is the effect of unauthorized disclosure of contingency planning information on the ability of responsible agencies to plan for, respond to, and mitigate damaging events. Unauthorized disclosure of contingency planning information may equip an adversary with the information necessary to attack a system so that recovery is impaired. Special Factors Affecting Confidentiality Impact Determination: Unauthorized disclosure of background information that supports development of Federal contingency plans can reveal sensitive vulnerabilities, capabilities, intelligence assessments, intelligence sources, or methods employed in anti-terrorism, law enforcement, or national security activities. Depending on the information in question, the confidentiality impact can be moderate, high, or involve national security information (outside the scope of this guideline). Also, some contingency plans are themselves national security information. However, the purpose of most contingency planning information is to protect against inadvertent or accidental damaging events rather than against 26 malicious attacks. Even so, in the case of Federal government systems, the case of hostile attacks on systems must be considered. The consequences of unauthorized disclosure of extracts from contingency plans are likely to have negligible to limited adverse effects on agency operations. In such cases, the confidentiality impact would be, at most, low. Unauthorized disclosure of the entire plan to malicious entities may have serious effects. As a result, the consequence of loss of confidentiality of comprehensive contingency plans is likely to involve serious harm to government assets, personnel, or missions. In such cases, the confidentiality impact would be, at least, moderate. Recommended Confidentiality Impact Level: The provisional confidentiality impact level recommended for contingency planning information is moderate.
Integrity Moderate
The integrity impact level is based on the specific mission and the data supporting that mission, not on the time required to detect the modification or destruction of information. Errors in contingency plans that result from integrity compromise can result in serious consequences to system recovery capabilities. These can range from incorrect telephone numbers and e-mail addresses on notification lists to erroneous schedules and file designations for database back-ups and archives or software baselines, updates, and patches. Recommended Integrity Impact Level: The provisional integrity impact level recommended for contingency planning information is moderate.
Availability Moderate
The availability impact level is based on the specific mission and the data supporting that mission, not on the time required to re-establish access to the contingency planning information. The effects of disruption of access to contingency planning information or information systems depend on the timing of the disruption. If access to contingency planning information is denied because of a power outage, recovery may be delayed and the work of government agencies disrupted. Special Factors Affecting Availability Impact Determination: The contingency planning processes are usually tolerant of delays. In contrast, the contingency plan implementation process is not tolerant of delays. The consequences of disruption of access to contingency planning information depend on both the period of the outage and the criticality of the disrupted processes. The consequent impact level may range from low to high. Recommended Availability Impact Level: The provisional availability impact level recommended for contingency planning information is moderate.