home || catalog: SP800-53rev3 / class: Operational / family: (CP) Contingency Planning ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP

CP-01
CP-02
CP-03
CP-04
CP-05
CP-06
CP-07
CP-08
CP-09 *
CP-10

IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  CP-09: Information System Backup  

base control objective:
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information (including system state information) contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality and integrity of backup information at the storage location.

supplemental objective information:
Digital signatures and cryptographic hashes are examples of mechanisms that can be employed by organizations to protect the integrity of information system backups. An organizational assessment of risk guides the use of encryption for protecting backup information. The protection of system backup information while in transit is beyond the scope of this control.

enhancements to the base objective:

(1) The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.

(2) The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.

(3) The organization stores backup copies of the operating system and other critical information system software, as well as copies of the information system inventory (including hardware, software, and firmware components) in a separate facility or in a fire-rated container that is not colocated with the operational system.

(4) Withdrawn: Incorporated into CP-09 (base).

(5) The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined transfer rate consistent with the recovery time and recovery point objectives].

(6) The organization accomplishes information system backup by maintaining a redundant secondary system, not collocated, that can be activated without loss of information or disruption to the operation.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (1)     HIGH: base (1) (2) (3)  

related (regimented) controls:

CP-06   Alternate Storage Site
MP-04   Media Storage

documents referenced in SP800-53rev3 for CP-09:

Document Date Status Title
FIPS 199 February, 2004 current   Standards for Security Categorization of Federal Information and Information Systems
NIST SP800-21 December, 2005 current   Guideline for Implementing Cryptography in the Federal Government
NIST SP800-25 October, 2000 current   Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
NIST SP800-34 May, 2010 current   Contingency Planning Guide for Information Technology Systems
NIST SP800-41 September, 2009 current   Guidelines on Firewalls and Firewall Policy
NIST SP800-44 September 2002 current   Guidelines on Securing Public Web Servers
NIST SP800-45 August, 2006 DRAFT   Guidelines on Electronic Mail Security
NIST SP800-57, part1 August, 2005 current   Recommendation for Key Management, part 1
NIST SP800-57, part2 August, 2005 current   Recommendation for Key Management, part 2

Search SP800-53rev3 catalog: