Update contingency plan to better address staffing (CP-2)

[pburkholder]

POA&M

2019-V0036-CP-2

Description

In order to ensure stable operations of cloud.gov even if key staff become unavailable, we want to update our contingency plan (https://cloud.gov/docs/ops/contingency-plan/) to address such scenarios

Acceptance Criteria

• draft contingency plan is ready before rehearsal (currently scheduled 3/25)
• we've held contingency plan rehearsal with an appropriate scenario
• updated contingency plan published to site
• JAB TRs informed of new plan

2020-06-24 -- Further, per JAB guidance, CP should

Ensure our Contingency Plan addresses NIST 800-34 (See comment DOD Comment #1 from 2020-04-29: Cloud.gov CP JAB Reviewer Comments

Ensure key components are covered in order to evolve a comprehensive plan

• Personnel - training, relocation, standard operation procedures
• Information Systems - inventory, what is at your disposal
• Telecommunications - network infrastructure, backup sites, automatic switching
• Communications Plan - internal, external
• Data Backup & Recovery - storage sites

Update CP to more clearly reference a set of actions to take in the event related components are unavailable.
Ensure test plan exercises align with FIPS 199 Impact levels [L, M, H] Cloud.gov, PaaS - Moderate

• NIST-800-34 and related publications explicitly call out what CP exercises apply to Low/Moderate/High systems. Our CP should note that we are indeed meeting those expectations.

Ensure core plan is only available to personnel on a need-to-know basis
Ensure all key personnel know and understand their roles & responsibilities (who to call, what to do, when to do it, etc.) without it being overly prescriptive.

---

Security considerations

Take care not to share CUI in public contingency plan

[pburkholder]

Comment from JAB TRs indicate we'll have more work to bring our CP fully into line, and to close POA&M 2019-V0036-CP-2 we'll need to...

• A) Ensure our Contingency Plan addresses NIST 800-34 (See comment DOD Comment Test issue #1 from 2020-04-29: Cloud.gov CP JAB Reviewer Comments

  • Reference 800-34 in our CP and relevant key sections

• Ensure key components are covered in order to evolve a comprehensive plan

  • Reference in our CP the personnel, Information & network systems, communications plan, and data recovery

• Ensure test plan exercises align with FIPS 199 Impact levels [L, M, H] Cloud.gov, PaaS - Moderate

  • IN our CP we should refer to those template sections that apply to moderate impact systems.

[pburkholder]

From our 2020-04-09 Contingency Plan Exercise, we need ensure the following happen:

PRs and Issues:
https://github.com/cloud-gov/internal-docs/issues/6 - maintain phone list - in progress
cloud-gov/cg-site#1612 - simplify public update process
cloud-gov/cg-scripts#125 - pause pipelines
GSA-TTS/tts-tech-operations#416 - work with TTS Tech Portfolio to get better resources on what we’d expect in an emergency.
cloud-gov/cg-site#1608 - changes to Contingency Plan

[pburkholder]

Related: cloud-gov/cg-site#1608 for addressing

• minimum staffing
• leadership credentials
• jumpbox recovery

[pburkholder]

This is done with completion of the cg-site P/R