name: "CP-7(2)_accessibility" description: "Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit miti" category: "configuration" version: "5.2.0" author: "cyberstrike-official" tags:
- nist
- sp800-53
- rev5
- cp-7-2
- cp
- enhancement tech_stack:
- aws
- azure
- gcp cwe_ids: [] chains_with:
- RA-3 prerequisites:
- CP-7 severity_boost: RA-3: "Chain with RA-3 for comprehensive security coverage"
CP-7(2) Accessibility
Enhancement of: CP-7
High-Level Description
Family: Contingency Planning (CP) Framework: NIST SP 800-53 Rev 5
Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk.
What to Check
- Verify CP-7(2) Accessibility is documented in SSP
- Confirm control is operating effectively
- Review evidence of continuous monitoring for CP-7(2)
- Verify enhancement builds upon base control CP-7
How to Test
Step 1: Review Documentation
Examine the System Security Plan (SSP) and related artifacts for CP-7(2) implementation details. Verify the organization has documented how this control is satisfied.
Step 2: Validate Implementation
# For cloud environments, use cloud-audit-mcp tools
# For on-premises, review system configurations directly
# Example: Check if account management policies exist
grep -r "account.management\|access.control" /etc/security/ 2>/dev/null
Step 3: Test Operating Effectiveness
Verify the control is actively functioning, not just documented. Check logs, configurations, and operational evidence.
Tools
| Tool | Purpose | Usage |
|---|---|---|
| Manual Review | Documentation and interview-based | N/A |
Remediation Guide
Control Statement
Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
Implementation Guidance
Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk.
Risk Assessment
| Finding | Severity | Impact |
|---|---|---|
| CP-7(2) Accessibility not implemented | Medium | Contingency Planning |
| CP-7(2) partially implemented | Low | Incomplete Contingency Planning |
CWE Categories
| CWE ID | Title |
|---|---|
| N/A | No direct CWE mapping |
References
- NIST SP 800-53 Rev 5 - CP-7(2)
- NIST SP 800-53A Rev 5 (Assessment Procedures)
- NIST SP 800-53 Rev 5 Full Catalog
Checklist
- Control documented in SSP
- Implementation evidence collected
- Operating effectiveness validated
- Continuous monitoring in place
- Related controls (RA-3) reviewed