CP-10(3): Compensating Security Controls

CP-10(3) requires you to define and document compensating security controls during tailoring when the standard CP-10 expectation cannot be met as written. Operationally, you must (1) justify the gap, (2) implement alternate controls that achieve equivalent risk reduction, and (3) retain durable evidence that the compensating controls are approved, tested, and kept current. ¹

Key takeaways:

• Treat CP-10(3) as a tailoring decision that must be documented, approved, and auditable. ¹
• Compensating controls need a clear “why,” “what,” and “how tested” trail, not just a statement in a policy. ²
• Your fastest path to audit readiness is a repeatable template tied to an owner and recurring evidence. ¹

CP-10 sits in the Contingency Planning (CP) family, so auditors expect you to show resilient operations: backup, recovery, reconstitution, and the ability to continue mission-essential functions during disruption. CP-10(3) is different from many enhancements because the control text in the catalog is minimal and explicitly “Addressed through tailoring.” ¹ That short phrase is the requirement.

For a CCO, Compliance Officer, or GRC lead, CP-10(3) is a governance requirement masquerading as a technical control. The work is to make compensating controls real: define when you allow them, how you decide equivalency, who approves the risk, and what evidence proves the alternate control works over time. If your organization handles federal data or operates federal information systems, this becomes a standard exam thread: “Show me where you tailored the baseline, why, and how you ensured equivalent protection.” ²

This page gives requirement-level implementation steps, evidence checklists, and audit traps so you can operationalize the cp-10(3): compensating security controls requirement without turning it into a months-long policy rewrite.

Regulatory text

Control enhancement: CP-10(3): Compensating Security Controls
Regulatory excerpt: “Addressed through tailoring.” ¹

What the operator must do with this text

Because NIST states CP-10(3) is addressed via tailoring, your “implementation” is to build a disciplined, repeatable tailoring method for compensating controls and apply it wherever CP-10 cannot be met exactly. The output auditors want is not a narrative; it is a decision record: what requirement was not met, what alternative control(s) you put in place, who accepted the risk, and what evidence shows the alternative remains effective. ¹

Plain-English interpretation (what CP-10(3) means in practice)

CP-10(3) means: if you can’t implement the CP-10 expectation as written for a given system, you may implement compensating security controls, but only if you formally tailor the control set and keep proof that the compensating controls reduce risk to an acceptable level. ¹

Think of it as a permission structure:

• Permission to deviate from the default implementation
• Condition that you document the deviation through tailoring
• Obligation to show the substitute control is designed, approved, and operating

Who it applies to (entity and operational context)

Applies to:

• Federal information systems using NIST SP 800-53 control baselines. ²
• Contractor systems handling federal data when your contract, authority to operate boundary, or assessment framework invokes NIST SP 800-53 tailoring and assessment expectations. ²

Operational contexts where CP-10(3) shows up:

• Legacy platforms that cannot support a CP-10-aligned recovery mechanism without major re-architecture
• Cloud/SaaS dependencies where you cannot directly implement a specific contingency mechanism, so you compensate with contract terms, architecture, monitoring, or alternate recovery patterns
• Segmented environments (OT, lab, air-gapped enclaves) where standard automation assumptions do not hold

What you actually need to do (step-by-step)

The goal is a repeatable compensating control workflow tied to CP-10 requirements and your tailoring process.

Step 1: Define your compensating control standard (one-page rule)

Create a short internal standard that answers:

• When compensating controls are allowed (examples: technical infeasibility, third-party managed limitation, temporary exception)
• Who can approve them (control owner, system owner, AO/risk executive, or equivalent governance)
• What “equivalent protection” means for your org (risk-based, threat-informed, measurable outcomes)
• Minimum evidence required before approval and during operation
  Reference the source baseline that requires tailoring. ²

Step 2: Build a tailoring record template (make it hard to hand-wave)

Your template should force specificity:

A. Control gap statement

• Baseline control/enhancement: CP-10 / CP-10(3)
• What cannot be met as written
• Scope: system boundary, environments affected

B. Rationale

• Technical constraint, contractual constraint, operational constraint
• Time horizon: temporary vs enduring (don’t use dates unless your internal plan requires them)

C. Compensating control design

• Substitute controls (technical + procedural)
• How the substitute mitigates the same failure mode CP-10 targets

D. Equivalency argument

• Threats addressed
• Residual risks introduced
• Assumptions and dependencies (especially third parties)

E. Approval and review

• Named approver(s)
• Review triggers (major system change, DR test failure, provider change)

Step 3: Implement compensating controls that are testable

A compensating control is weak if it cannot be tested. Favor controls with observable outputs, such as:

• A documented recovery pattern (alternate site, alternate restore workflow, immutable backups) supported by test results
• Monitoring/alerting that detects loss of recoverability (backup job failures, snapshot retention violations)
• Contractual and architectural controls for third-party services (documented responsibilities, RTO/RPO assumptions, evidence from provider)
  Align your compensating controls to contingency objectives in CP. ²

Step 4: Attach recurring evidence to the control owner

Make evidence collection part of operations. At minimum:

• Assign a control owner for the CP-10(3) tailoring decisions
• Define what evidence they must produce on a recurring basis (test results, tickets, monitoring reports, change records)
• Store it in a single system-of-record with immutable history (GRC tool, controlled repository, or ticketing system)
  This is the fastest way to avoid the common failure: “we did it once, but can’t prove it now.”

Where Daydream fits naturally: Daydream can hold the tailoring record, map CP-10(3) to the control owner, and schedule recurring evidence requests so your compensating controls don’t decay into stale exception memos. ¹

Step 5: Validate during assessment-ready activities

Before an exam:

• Re-perform a light review of each compensating control package
• Confirm the compensating control still matches the architecture and third-party dependencies
• Confirm evidence is current and complete
• Verify approvals are still valid for current risk posture
  Tie validation back to your tailoring record. ²

Required evidence and artifacts to retain

Use this as your audit-ready checklist:

Artifact	What “good” looks like	Owner
Tailoring decision record for CP-10(3)	Specific gap, rationale, compensating controls, equivalency argument, approvals	GRC + System Owner
Risk acceptance / approval	Named approver, scope, conditions for continuation	Risk Executive / AO equivalent
Control procedure / runbook	Step-by-step recovery or continuity actions tied to the compensating control	Operations / IT
Test evidence	Results showing the compensating mechanism works (exercise notes, restore logs, outcomes)	DR/BCP lead
Monitoring / alert evidence	Alerts, reports, or dashboards tied to recoverability assumptions	SRE/SecOps
Change management linkage	Changes that may invalidate the compensating control are tracked and reviewed	ITSM/Change Manager

Common exam/audit questions and hangups

Auditors tend to press on governance and proof:

1. “Show me where CP-10(3) is addressed.”
   They want the tailoring record and how it’s governed. ¹

2. “Who approved this deviation, and what risk did they accept?”
   Missing or vague approvals are a common finding.

3. “How do you know the compensating control works?”
   A policy statement is not evidence. Bring test outputs and operational signals.

4. “What triggers re-review?”
   If you can’t describe triggers, auditors may conclude your compensating controls can silently expire.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating compensating controls as informal exceptions.
   Fix: Require a tailoring record with approvals and evidence attachments. ¹

2. Mistake: No equivalency argument.
   Fix: Write a short, threat-and-failure-mode-based explanation of how the substitute control achieves similar outcomes. ²

3. Mistake: Control exists, but no one owns it.
   Fix: Assign a named owner and embed evidence collection in operational routines.

4. Mistake: Over-reliance on third-party attestations with no boundary statement.
   Fix: Document shared responsibility and what you independently verify versus what the third party provides. ²

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement. Practically, CP-10(3) failures surface as assessment findings: inadequate tailoring documentation, unsupported equivalency claims, or inability to produce evidence that the compensating controls operate. The risk is straightforward: if recoverability assumptions are wrong, you learn during an incident, not during a test. ²

Practical 30/60/90-day execution plan

Use phases (not calendar promises) to move fast without inventing timelines.

Immediate (stabilize and become assessable)

• Inventory where CP-10 cannot be met “as written” across in-scope systems.
• Create the CP-10(3) tailoring record template and approval path.
• Assign control owners for each compensating control package.
• Centralize current artifacts (existing DR test results, runbooks, tickets) into one evidence location.

Near-term (make compensating controls testable and repeatable)

• Convert every informal exception into a complete tailoring record.
• Define equivalency criteria your assessors will accept (outcome-based, test-backed).
• Add recurring evidence tasks to your operating rhythm (tests, monitoring reviews, third-party evidence refresh).
• Run an internal desk audit: pick a system and see if you can prove the compensating control end-to-end without tribal knowledge.

Ongoing (keep it from rotting)

• Re-validate compensating controls after material changes (architecture changes, provider changes, major incidents).
• Track compensating controls as first-class controls in your GRC system (ownership, evidence, review history).
• Use metrics qualitatively in leadership reporting: open compensating controls, overdue evidence, and high-risk residual assumptions.

Frequently Asked Questions

Do I need compensating controls for every CP-10 gap?

If you cannot meet the CP-10 expectation as implemented in your baseline, you need a tailored decision and an alternate control set that addresses the risk. CP-10(3) exists to make that decision auditable. ¹

What counts as a “compensating” control versus an exception?

A compensating control is an alternative safeguard that reduces the same risk to an acceptable level and is documented through tailoring. An exception is just a deviation; without an equivalency argument and evidence, it will read as an unmitigated gap. ²

Who should approve CP-10(3) compensating controls?

Use the approver who has authority to accept the residual risk for the system boundary, typically the system owner plus a risk authority (AO or equivalent governance). The key is a named approver tied to the tailoring record. ¹

How do I prove “equivalent protection” without a formal quantitative risk model?

Use an outcome-based argument: identify the failure mode the original CP-10 control addresses, describe how your substitute prevents or detects it, and attach test evidence. Keep assumptions explicit, especially dependencies on third parties. ²

We rely on a SaaS provider for recovery. Can their reports serve as evidence?

Yes, but document shared responsibility and include what you verify yourself (configuration, backups you control, restore tests you can perform). Your tailoring record should state which parts are inherited and which are your obligations. ²

What’s the minimum evidence set an auditor will accept?

Expect to show the tailoring decision, approval, the compensating control procedure, and proof it operated (test output or operational monitoring records). If any link is missing, auditors may conclude the control is not implemented. ¹

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5