Navigate

CP-9

CP-9: System Backup

a: Conduct backups of user-level information contained in [system components for which to conduct backups of user-level information is defined;] [frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;];

b: Conduct backups of system-level information contained in the system [frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;];

c: Conduct backups of system documentation, including security- and privacy-related documentation [frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;] ; and

d: Protect the confidentiality, integrity, and availability of backup information.

Supplemental

System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
CMMC, DAF Baseline, Privacy (accountability), Privacy (high), Privacy (low), Privacy (moderate)

CSF Categories
PR.IP-4

Related Controls

The controls below (if any) were marked by NIST as being related to CP-9.

Control	Description
CP-2	a: Develop a contingency plan for the system that: 1: Identifies essential mission and business functions and associated contingency requirements; 2: Provides recovery objectives, restoration priorities, and metrics; 3: Addresses contingency roles, responsibilities, assigned individuals with contact information; 4: Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5: Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6: Addresses the sharing of contingency information; and 7: Is reviewed and approved by [one of ]; b: Distribute copies of the contingency plan to [one of ]; c: Coordinate contingency planning activities with incident handling activities; d: Review the contingency plan for the system [frequency of contingency plan review is defined;]; e: Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f: Communicate contingency plan changes to [one of ]; g: Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and h: Protect the contingency plan from unauthorized disclosure and modification.
CP-6	a: Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b: Ensure that the alternate storage site provides controls equivalent to that of the primary site.
CP-10	Provide for the recovery and reconstitution of the system to a known state within [one of ] after a disruption, compromise, or failure.
MP-4	a: Physically control and securely store [one of ] within [one of ] ; and b: Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
MP-5	a: Protect and control [types of system media to protect and control during transport outside of controlled areas are defined;] during transport outside of controlled areas using [one of ]; b: Maintain accountability for system media during transport outside of controlled areas; c: Document activities associated with the transport of system media; and d: Restrict the activities associated with the transport of system media to authorized personnel.
SC-8	Protect the [one or more of "confidentiality"/"integrity"] of transmitted information.
SC-12	Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [requirements for key generation, distribution, storage, access, and destruction are defined;].
SC-13	a: Determine the [cryptographic uses are defined;] ; and b: Implement the following types of cryptography required for each specified cryptographic use: [types of cryptography for each specified cryptographic use are defined;].
SI-4	a: Monitor the system to detect: 1: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;] ; and 2: Unauthorized local, network, and remote connections; b: Identify unauthorized use of the system through the following techniques and methods: [techniques and methods used to identify unauthorized use of the system are defined;]; c: Invoke internal monitoring capabilities or deploy monitoring devices: 1: Strategically within the system to collect organization-determined essential information; and 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization; d: Analyze detected events and anomalies; e: Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f: Obtain legal opinion regarding system monitoring activities; and g: Provide [system monitoring information to be provided to personnel or roles is defined;] to [personnel or roles to whom system monitoring information is to be provided is/are defined;] [one or more of "as needed"/"{{ insert: param, si-04_odp.06 }} "].
SI-13	a: Determine mean time to failure (MTTF) for the following system components in specific environments of operation: [system components for which mean time to failure (MTTF) should be determined are defined;] ; and b: Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: [mean time to failure (MTTF) substitution criteria to be used as a means to exchange active and standby components are defined;].

Enhancements

The controls below (if any) add on to the requirements of CP-9.

Control	Description
CP-9(1)	Test backup information [one of ] to verify media reliability and information integrity.
CP-9(2)	Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing.
CP-9(3)	Store backup copies of [critical system software and other security-related information backups to be stored in a separate facility are defined;] in a separate facility or in a fire rated container that is not collocated with the operational system.
CP-9(4)
CP-9(5)	Transfer system backup information to the alternate storage site [one of ].
CP-9(6)	Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.
CP-9(7)	Enforce dual authorization for the deletion or destruction of [backup information for which to enforce dual authorization in order to delete or destroy is defined;].
CP-9(8)	Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [backup information to protect against unauthorized disclosure and modification is defined;].

Related CCIs

The CCIs below are tied to CP-9.

CCI	Definition
CCI-000534	Defines the frequency of conducting user-level information backups to support recovery time objectives and recovery point objectives.
CCI-000535	Conduct backups of user-level information contained in organization-defined system components per organization-defined frequency that is consistent with recovery time and recovery point objectives.
CCI-000536	Defines the frequency of conducting system-level information backups to support recovery time objectives and recovery point objectives.
CCI-000537	Conduct backups of system-level information contained in the system per organization-defined frequency that is consistent with recovery time and recovery point objectives.
CCI-000538	Defines the frequency of conducting system documentation backups, including security-related documentation, to support recovery time objectives and recovery point objectives.
CCI-000539	Conduct backups of system documentation, including security-related documentation, per an organization-defined frequency that is consistent with recovery time and recovery point objectives.
CCI-004020	Defines the system components to conduct backups of user level information.
CCI-004021	Conduct backups of system documentation, including privacy-related documentation, per an organization-defined frequency that is consistent with recovery time and recovery point objectives.
CCI-004022	Protect the confidentiality of backup information.
CCI-004023	Protect integrity of backup information.
CCI-004024	Protect the availability of backup information.