CP-9(3): Separate Storage For Critical Information

Control Family:

Contingency Planning

CSF v1.1 References:

Threats Addressed:


  • High

Next Version:

Control Statement

The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.

Supplemental Guidance

Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations.