Disaster Recovery Business Rules

BR-DR-1: Annual Review of Disaster Recovery Plans

Disaster recovery plans and their supporting documents must be reviewed and reevaluated on an annual basis or upon a significant change to the operating environment.

Federal Continuity Directive 1, Federal Executive Branch National Continuity Program and Requirements, January 17, 2017

Rationale:

TT&E requirement under Testing.

BR-DR-2: Disaster Recovery Tier Selection

Applications/systems that are sufficiently critical to warrant a Disaster Recovery capability will be matched to one of the four Disaster Recovery Tiers as presented in this document, in accordance with the results of the BIA.

Related: CMS Risk Management Handbook, Chapter 6 – Contingency Planning.

Rationale:

Tier selection required when determining Recovery Time Objective (RTO) and Recovery Point Objective (RPO) during contingency planning.

BR-DR-3: All CMS FISMA systems must have a plan for DR

As required by FISMA.

Related CMS ARS Security Controls include: CP-2 Contingency Plan and CP-4 Contingency Plan Testing and Exercises.

Rationale:

DR planning and preparation are essential for resumption of services following a disaster.

BR-DR-4: Required Risk Analysis, System BIA, and ISCP

A Risk Analysis, System BIA, and ISCP must be documented for all applications/systems for CMS to correctly select the appropriate Disaster Recovery Tier for the application.

Related: CMS Risk Management Handbook, Chapter 6 – Contingency Planning; CMS Target Life Cycle (TLC) Initiate/Develop phases.

Rationale:

Completion of Risk Assessment, Systems Business Impact Assessment, and Information System Contingency Plan are required activities in preparation of process to receive Authority to Operate

BR-DR-5: Number of Disaster Recovery Tiers

There are four defined Disaster Recovery Tiers.

Related: CMS Risk Management Handbook, Chapter 6 – Contingency Planning.

Rationale:

Recovery Tiers defined in RMH.