Systematic review of business continuity and disaster recovery best practices for critical infrastructure protection under federal cybersecurity regulations and guidelines

This systematic review focused on the best practices in business continuity (BC) and disaster recovery (DR) planning in critical infrastructure (CI) organizations subject to federal cybersecurity regulations in the United States. A total of 52 peer-reviewed articles published between January 1990 and December 2022 were analyzed and meta-analyzed. Statistically significant predictors of the program effectiveness of the BC/DR were arranged based on outcome variables such as operational resilience indices, recovery time goals (RTO), recovery point goals (RPO), and regulatory compliance scores. The quality of the methodology of every study was evaluated with a 11-point grading scale with items rating the use of theoretical frameworks, longitudinal design, comparison groups, and statistical rigor. Executive commitment of leadership, frequency of testing, intensity of training of the staff, redundancy of technology, and integration of supply chain risks were the best-practice predictors that were most consistently reported. The overall score of the methodological quality of reviewed studies was 7.12 (SD = 1.6; maximum = 11). The results indicate that there is still a significant gap in BC/DR testing frequency, cross-sector information transfer, and macro-level regulatory congruence. The review provides a synthesized evidence base that can guide practitioners, regulators, and researchers associated with the nexus of cybersecurity governance and critical infrastructure resilience.