BRACKETOLOGY | FEDRAMP
CP-6: ALTERNATE STORAGE SITE
FedRAMP Baseline Membership CP-6:
Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH
Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.
Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.
To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open
Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.
- a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
- b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems.
RELATED CONTROLS: CP-6
CP-6 (1) ALTERNATE STORAGE SITE | SEPARATION FROM PRIMARY SITE
FedRAMP Baseline Membership CP-6 (1):
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.
Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant.
RELATED CONTROLS: CP-6 (1)
CP-6 (2) ALTERNATE STORAGE SITE | RECOVERY TIME/POINT OBJECTIVES
FedRAMP Baseline Membership CP-6 (2):
The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.
Supplemental Guidance: NONE
CP-6 (3) ALTERNATE STORAGE SITE | ACCESSIBILITY
FedRAMP Baseline Membership CP-6 (3):
The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include, for example: (i) duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or (ii) planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted.
RELATED CONTROLS: CP-6 (3)
- NIST Special Publication 800-34