CP-9(7): Dual Authorization

Control Family:

Contingency Planning

Parent Control:

CP-9: Information System Backup

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

PR.IP-4

Threats Addressed:

Denial of Service

Baselines:

(Not part of any baseline)

Next Version:

NIST Special Publication 800-53 Revision 5:
CP-9(7): Dual Authorization

Control Statement

The organization enforces dual authorization for the deletion or destruction of [Assignment: organization-defined backup information].

Supplemental Guidance

Dual authorization ensures that the deletion or destruction of backup information cannot occur unless two qualified individuals carry out the task. Individuals deleting/destroying backup information possess sufficient skills/expertise to determine if the proposed deletion/destruction of backup information reflects organizational policies and procedures. Dual authorization may also be known as two-person control.