Navigate

CP-9

CP-9: Information System Backup

The organization:

a: Conducts backups of user-level information contained in the information system [one of ];

b: Conducts backups of system-level information contained in the information system [one of ];

c: Conducts backups of information system documentation including security-related documentation [one of ]; and

d: Protects the confidentiality, integrity, and availability of backup information at storage locations.

Supplemental

System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
Privacy (High), Privacy (Mod), Privacy (PHI)

CSF Categories
PR.IP-4

Related Controls

The controls below (if any) were marked by NIST as being related to CP-9.

Control	Description
CP-2	The organization: a: Develops a contingency plan for the information system that: 1: Identifies essential missions and business functions and associated contingency requirements; 2: Provides recovery objectives, restoration priorities, and metrics; 3: Addresses contingency roles, responsibilities, assigned individuals with contact information; 4: Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5: Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6: Is reviewed and approved by [one of ]; b: Distributes copies of the contingency plan to [one of ]; c: Coordinates contingency planning activities with incident handling activities; d: Reviews the contingency plan for the information system [one of ]; e: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f: Communicates contingency plan changes to [one of ]; and g: Protects the contingency plan from unauthorized disclosure and modification.
CP-6	The organization: a: Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and b: Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
MP-4	The organization: a: Physically controls and securely stores [one of ] within [one of ]; and b: Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
MP-5	The organization: a: Protects and controls [one of ] during transport outside of controlled areas using [one of ]; b: Maintains accountability for information system media during transport outside of controlled areas; c: Documents activities associated with the transport of information system media; and d: Restricts the activities associated with the transport of information system media to authorized personnel.
SC-13	The information system implements [one of ] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Enhancements

The controls below (if any) add on to the requirements of CP-9.

Control	Description
CP-9(1)	The organization tests backup information [one of ] to verify media reliability and information integrity.
CP-9(2)	The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.
CP-9(3)	The organization stores backup copies of [one of ] in a separate facility or in a fire-rated container that is not collocated with the operational system.
CP-9(4)
CP-9(5)	The organization transfers information system backup information to the alternate storage site [one of ].
CP-9(6)	The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.
CP-9(7)	The organization enforces dual authorization for the deletion or destruction of [one of ].

Related CCIs

The CCIs below are tied to CP-9.

CCI	Definition
CCI-000534	Defines the frequency of conducting user-level information backups to support recovery time objectives and recovery point objectives.
CCI-000535	Conduct backups of user-level information contained in organization-defined system components per organization-defined frequency that is consistent with recovery time and recovery point objectives.
CCI-000536	Defines the frequency of conducting system-level information backups to support recovery time objectives and recovery point objectives.
CCI-000537	Conduct backups of system-level information contained in the system per organization-defined frequency that is consistent with recovery time and recovery point objectives.
CCI-000538	Defines the frequency of conducting system documentation backups, including security-related documentation, to support recovery time objectives and recovery point objectives.
CCI-000539	Conduct backups of system documentation, including security-related documentation, per an organization-defined frequency that is consistent with recovery time and recovery point objectives.
CCI-000540	The organization protects the confidentiality, integrity, and availability of backup information at storage locations.