Requirement text: RE.5.140: Ensure information processing facilities meet organizationally defined
information security continuity, redundancy, and availability requirements.
DISCUSSION FROM SOURCE: CMMC
This practice is about information system resilience, and requires that the organization take
the actions necessary to ensure that the information security components continue to
operate as needed to achieve business success and to ensure that the system’s part in
protection of CUI is maintained. It should be noted that “as needed” and “the system’s part”
may change if, as a result of stress, contingency business operations are conducted; e.g., as
part of the organization’s continuity of operations (COOP) planning. Note that redundancy
is typically an aspect of resilience, yet is seldom sufficient as the means for achieving needed
resilience.
CMMC CLARIFICATION
This practice requires an organization to do what is needed in order for their cybersecurity
solutions to continue to function under stress or attack. This means that even if a solution
that helps protect the environment has a failure, then other mechanisms will fill in the gap
in order for the functionality to continue. Redundant components can help with this as well
as proper planning and implementation. If a firewall fails, make sure another firewall can
take its place, or the environment should fail closed preventing traffic from passing until the
problem can be fixed. By having redundancy in place, an organization may continue
operations with confidence knowing their cyber security mission is functioning properly,
and the components will continue to operate properly even when failures may be taking
place.
Example 1
An environment has a log collection server in place for collecting end-point logs from across
the enterprise. Knowing this could be a catastrophic problem if the log collection system
goes down, the organization plans and creates a clone of the primary log server and has setup
the environment to perform automated switch over in case the primary server goes down.
This will allow the organization to continue to collect logs, perform analysis, and act on
incidents that happen during the time the primary server is down.
Example 2
A proxy server that is used to protect an organization against malicious websites by
utilization of website categorization is setup by the IT department. If this solution goes
down, the company will need to shutoff communication to the Internet or allow people to
browse websites without use of the categorization for protection. Loss of this protection
mechanism could lead to malicious content being downloaded to user systems. The
organization plans for secondary and tertiary proxies to be put in place and setup the
solution so transfer of processing will occur in near real time if there is ever a problem with
the primary. This not only allows continuity of operation for accessing Internet resources,
but it also provides continuity of operations with respect to the protection provided by the
proxy server’s categorization capability.
References
• CMMC
• NIST CSF v1.1 PR.IP-9
• CERT RMM v1.2 RRM:SG1.SP2
• NIST 800-53 Rev 4 CP-10