CP-9: Information System Backup

Control Family:

Contingency Planning

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

PR.IP-4

PF v1.0 References:

PR.PO-P3

Threats Addressed:

Denial of Service

Baselines:

Low
- CP-9
Moderate
- CP-9
- (1)
High
- CP-9
- (1)
- (2)
- (3)
- (5)

Next Version:

NIST Special Publication 800-53 Revision 5:
CP-9: System Backup

Control Statement

The organization:

Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
Protects the confidentiality, integrity, and availability of backup information at storage locations.

Supplemental Guidance

System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.

Control Enhancements

CP-9(1): Testing For Reliability / Integrity

Baseline(s):

Moderate
High

The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.

CP-9(2): Test Restoration Using Sampling

Baseline(s):

High

The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.

CP-9(3): Separate Storage For Critical Information

Baseline(s):

High

The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.

CP-9(5): Transfer To Alternate Storage Site

Baseline(s):

High

The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives].

CP-9(6): Redundant Secondary System

Baseline(s):

(Not part of any baseline)

The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.

CP-9(7): Dual Authorization

Baseline(s):

(Not part of any baseline)

The organization enforces dual authorization for the deletion or destruction of [Assignment: organization-defined backup information].

Control Statement

Supplemental Guidance

Control Enhancements

Related Controls

NIST Special Publication 800-53 Revision 4

Cloud Controls Matrix v3.0.1

Critical Security Controls Version 8

Critical Security Controls Version 7.1