CP-9: System Backup
Control Family:
CSF v1.1 References:
PF v1.0 References:
Threats Addressed:
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- CP-9: Information System Backup
Control Statement
- Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
- Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
- Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
- Protect the confidentiality, integrity, and availability of backup information.
Supplemental Guidance
System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.
Control Enhancements
CP-9(1): Testing for Reliability and Integrity
Baseline(s):
- Moderate
- High
Test backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.
CP-9(2): Test Restoration Using Sampling
Baseline(s):
- High
Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing.
CP-9(3): Separate Storage for Critical Information
Baseline(s):
- High
Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system.
CP-9(5): Transfer to Alternate Storage Site
Baseline(s):
- High
Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives].
CP-9(6): Redundant Secondary System
Baseline(s):
Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.
CP-9(7): Dual Authorization
Baseline(s):
Enforce dual authorization for the deletion or destruction of [Assignment: organization-defined backup information].
CP-9(8): Cryptographic Protection
Baseline(s):
- Moderate
- High
Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information].