BR-DR-1: Annual Review of Disaster Recovery Plans
Disaster recovery plans and their supporting documents must be reviewed and reevaluated on an annual basis or upon a significant change to the operating environment.
Federal Continuity Directive 1, Federal Executive Branch National Continuity Program and Requirements, January 17, 2017
Rationale:
TT&E requirement under Testing.
BR-DR-2: (Rule Withdrawn after TRA 2024R4): Disaster Recovery Tier Selection
BR-DR-3: All CMS FISMA systems must have a plan for DR
As required by FISMA.
Related CMS ARS Security Controls include: CP-2 Contingency Plan and CP-4 Contingency Plan Testing and Exercises.
Rationale:
DR planning and preparation are essential for resumption of services following a disaster.
BR-DR-4: Required Risk Analysis, System BIA, and ISCP
A Risk Analysis, System Business Impact Analysis (BIA), and ISCP must be documented for all applications/systems for CMS to correctly select the appropriate Disaster Recovery Tier for the application.
Related: CMS Target Life Cycle (TLC) Initiate/Develop phases.
Completion of Risk Assessment, Systems Business Impact Assessment, and Information System Contingency Plan are required activities in preparation of process to receive Authority to Operate
BR-DR-5: (Rule Withdrawn after TRA 2024R4): Number of Disaster Recovery Tiers
BR-DR-6: The BIA is the Primary Determinant of DR Parameters
The system Business Impact Analysis (BIA) provides the basis for the system's Recovery Point Objective (RPO), Recovery Time Objective (RTO), Work Recovery Time (WRT), and Maximum Tolerable Downtime (MTD).
- CIO Memorandum Recovery Time Objective Requirements, July 22, 2020.
- NIST Interagency Report (IR) 8286D Using Business Impact Analysis to Inform Risk Prioritization and Response, February 2025.
Rationale:
These parameters must be based on business requirements.
TRA 2025 Release 1 • General Distribution / Unclassified Information