If an agency cannot comply with the Technology Recovery Plan submission, will the Office of Information Security accept an extension?
Because the purpose of the Technology Recovery Plan (TRP) is to provide continuity of computing operations in support of critical business functions, there is no extension process for TRP submissions. The agency Director must be apprised of the risk associated with not having a complete and comprehensive TRP which provides the ability to perform a full recovery of critical/essential IT systems and applications in support of the agency’s critical business functions.
One alternative is to submit a SIMM 5325-B – Technology Recovery Program Certification (DOCX), marking the box that indicates, “My state entity is NOT in full compliance with the Technology Recovery Management Program requirements, but has a comprehensive plan to achieve full compliance by [insert date]. I understand and accept the risk associated with the gaps in our current program, and have attached a remediation plan which includes a schedule for completion.” If this option is submitted, a remediation plan specifying the date when the TRP will be delivered to the Office of Information Security must also be submitted with the SIMM 5325-B submittal.