CMMC Practice RE.5.140
Ensure information processing facilities meet organizationally defined information security continuity, redundancy, and availability requirements.
Bold Coast Security Guidance
At this maturity level, an organization has Continuity of Operations plans in place and in practice. Continuity of Operations planning may include Business Continuity, Disaster Recovery, and elements of Incident Management and Vendor Management.
Level 5 compliance is achieved when resilience is an organization-wide intelligence, and is inter-departmental and inter-disciplinary throughout the organization. IT Department, and all business units have significant roles in COOP planning and execution to ensure an organization is resilient when unexpected events, or incidents, occur.
For Level 5 compliance in this capability,
This practice is about information system resilience, and requires that the organization take the actions necessary to ensure that the information security components continue to operate as needed to achieve business success and to ensure that the system’s part in protection of CUI is maintained. It should be noted that “as needed” and “the system’s part” may change if, as a result of stress, contingency business operations are conducted; e.g., as part of the organization’s continuity of operations (COOP) planning. Note that redundancy is typically an aspect of resilience, yet is seldom sufficient as the means for achieving needed resilience.