The recover function of the SFCS is visually represented as
such:
|
Function
|
Category
|
Subcategory
|
|
Recover (RC)
|
Recovery Planning (RP)
|
RC.RP-1: Execute recovery plan during or after a
Cybersecurity Incident
|
|
Improvements (IM)
|
RC.IM-1: Incorporate lessons learned in recovery
plans
|
|
RC.IM-2: Periodically update recovery
strategies
|
|
Communications (CO)
|
RC.CO-1: Manage public relations
|
|
RC.CO-2: Repair reputation after an event
|
|
RC.CO-3: Communicate recovery activities to internal
Stakeholders and executive and management teams
|
(1) Recovery
Planning. Each Agency shall execute and maintain recovery processes and
procedures to ensure restoration of systems or assets affected by Cybersecurity
Incidents. Each Agency shall:
(a) Execute a
recovery plan during or after an Incident (RC.RP-1).
(b) Mirror data and software, essential to
the continued operation of critical Agency functions, to an off-site location
or regularly back up a current copy and store at an off-site
location.
(c) Develop procedures to
prevent loss of data, and ensure that Agency data, including unique copies, are
backed up.
(d) Document disaster
recovery plans that address protection of critical IT Resources and provide for
the continuation of critical Agency functions in the event of a disaster. Plans
shall address shared resource systems, which require special consideration,
when interdependencies may affect continuity of critical Agency
functions.
(e) IT disaster recovery
plans shall be tested at least annually; results of the annual exercise shall
document plan procedures that were successful and specify any modifications
required to improve the plan.
(2) Improvements. Each Agency shall improve
recovery planning and processes by incorporating lessons learned into future
activities. Such activities shall include:
(a)
Incorporating lessons learned in recovery plans (RC.IM-1).
(b) Updating recovery strategies
(RC.IM-2).
(3)
Communications. Each agency shall coordinate restoration activities with
internal and external parties, such as coordinating centers, Internet Service
Providers, owners of attacking systems, victims, other CSIRTs, and vendors.
Such activities shall include:
(a) Managing
public relations (RC.CO-1).
(b)
Attempts to repair reputation after an event, if applicable
(RC.CO-2).
(c) Communicating
recovery activities to Stakeholders, internal and external where appropriate
(RC.CO-3).
