C.2.4.2 - Continuity of operations
Continuity of operations involves the activities associated with the identification of critical systems and processes, and the planning and preparation required to ensure that these systems and processes will be available in the event of a catastrophic event.
The recommended provisional security categorization for the continuity of operations information type is as follows:
The confidentiality impact level is the effect of unauthorized disclosure of continuity of operations information on the ability of responsible agencies to identify critical systems and processes, and to conduct the planning and preparation required to ensure that these systems and processes will be available in the event of a catastrophic event. Unauthorized disclosure of the entire plan to malicious entities may have serious effects. As a result, the consequence of loss of confidentiality of most continuity of operations plans (and comprehensive continuity of operations plans) is likely to do serious harm to government assets, personnel, or missions. Special Factors Affecting Confidentiality Impact Determination: Unauthorized disclosure of background information that supports development of Federal continuity of operations plans can reveal sensitive vulnerabilities, capabilities, intelligence assessments, intelligence sources, or methods employed in anti-terrorism, law enforcement, or national security activities. Depending on the information in question, the confidentiality impact can be moderate, high, or involve national security information (outside the scope of this guideline). Unauthorized disclosure of continuity of operations information for critical infrastructures and key national assets may require a high impact level. However, the purpose of most continuity of operations information is to protect against inadvertent or accidental damaging events rather than against malicious attacks. Even so, in the case of Federal government systems, hostile attacks on systems must be considered. The consequences of unauthorized disclosure of extracts from continuity of operations plans are likely to have negligible to limited adverse effects on agency operations. In such cases, the confidentiality impact would be, at most, low. Unauthorized disclosure of continuity of operations information may inform an adversary regarding what facilities and processes are considered to be critical. Such unauthorized disclosure may also equip an adversary with the information necessary to attack a system so that operations are disrupted, and that recovery is impaired. In such cases, the confidentiality impact would be, at least, moderate. Recommended Confidentiality Impact Level: The provisional confidentiality impact level recommended for continuity of operations information is moderate.
The integrity impact level is based on the specific mission and the data supporting that mission, not on the time required to detect the modification or destruction of information. Errors in continuity of operations plans that result from integrity compromise can result in serious consequences to system recovery capabilities. These can range from incorrect telephone numbers and e-mail addresses on notification lists to erroneous version numbers for database back-ups and archives or software baselines, updates, and patches. Recommended Integrity Impact Level: The provisional integrity impact level recommended for continuity of operations information is moderate.
The availability impact level is based on the specific mission and the data supporting that mission, not on the time required to re-establish access to the continuity of operations information. 28 Special Factors Affecting Availability Impact Determination: The effects of disruption of access to continuity of operations information or information systems depend on the timing of the disruption. If access to continuity of operations information is denied because of a power outage, recovery may be delayed and the work of government agencies disrupted. The continuity of operations planning process is usually tolerant of delays. In contrast, the continuity of operations implementation process is not tolerant of delays. The consequences of disruption of access to continuity of operations information depend on both the period of the outage and the criticality of the disrupted processes. The consequent impact level will range from low to high. Recommended Availability Impact Level: The provisional availability impact level recommended for continuity of operations information is moderate.