1. Home
  2. FedRAMP
  3. CP-9

BRACKETOLOGY | FEDRAMP

CP-9: INFORMATION SYSTEM BACKUP

  • FedRAMP Baseline Membership CP-9:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

    • a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
    • b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
    • c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
    • d. Protects the confidentiality, integrity, and availability of backup information at storage locations.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

The organization:

  • a. Conducts backups of user-level information contained in the information system daily incremental; weekly full;
  • b. Conducts backups of system-level information contained in the information system daily incremental; weekly full;
  • c. Conducts backups of information system documentation including security-related documentation daily incremental; weekly full; and
  • d. Protects the confidentiality, integrity, and availability of backup information at storage locations.

FedRAMP REQUIREMENT

The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

CP-9a.: The service provider maintains at least three backup copies of user-level information (at least one of which is available online).

CP-9b: The service provider maintains at least three backup copies of system-level information (at least one of which is available online).

CP-9c: The service provider maintains at least three backup copies of system-level information (at least one of which is available online).

periodicity
Noun chiefly technical | the quality or character of being periodic; the tendency to recur at intervals

The organization:

  • a. Conducts backups of user-level information contained in the information system daily incremental; weekly full;
  • b. Conducts backups of system-level information contained in the information system daily incremental; weekly full;
  • c. Conducts backups of information system documentation including security-related documentation daily incremental; weekly full; and
  • d. Protects the confidentiality, integrity, and availability of backup information at storage locations.

FedRAMP REQUIREMENT

The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

CP-9a.: The service provider maintains at least three backup copies of user-level information (at least one of which is available online).

CP-9b: The service provider maintains at least three backup copies of system-level information (at least one of which is available online).

CP-9c: The service provider maintains at least three backup copies of system-level information (at least one of which is available online).

periodicity
Noun chiefly technical | the quality or character of being periodic; the tendency to recur at intervals

The organization:

  • a. Conducts backups of user-level information contained in the information system daily incremental; weekly full;
  • b. Conducts backups of system-level information contained in the information system daily incremental; weekly full;
  • c. Conducts backups of information system documentation including security-related documentation daily incremental; weekly full; and
  • d. Protects the confidentiality, integrity, and availability of backup information at storage locations.

FedRAMP REQUIREMENT

The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

CP-9a.: The service provider maintains at least three backup copies of user-level information (at least one of which is available online).

CP-9b: The service provider maintains at least three backup copies of system-level information (at least one of which is available online).

CP-9c: The service provider maintains at least three backup copies of system-level information (at least one of which is available online).

periodicity
Noun chiefly technical | the quality or character of being periodic; the tendency to recur at intervals

SUPPLEMENTAL GUIDANCE

System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.

CONTROL ENHANCEMENTS

CP-9 (1) INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / INTEGRITY
  • FedRAMP Baseline Membership CP-9 (1):
  • MODERATE
  • HIGH

The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.

Supplemental Guidance: NONE

RELATED CONTROLS: CP-9 (1)

CP-9 (2) INFORMATION SYSTEM BACKUP | TEST RESTORATION USING SAMPLING
  • FedRAMP Baseline Membership CP-9 (2):
  • HIGH

The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.

Supplemental Guidance: NONE

RELATED CONTROLS: CP-9 (2)

CP-9 (3) INFORMATION SYSTEM BACKUP | SEPARATE STORAGE FOR CRITICAL INFORMATION
  • FedRAMP Baseline Membership CP-9 (3):
  • MODERATE
  • HIGH

The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

The organization tests backup information at least monthly to verify media reliability and information integrity.

The organization tests backup information at least monthly to verify media reliability and information integrity.


CP-9 (3) INFORMATION SYSTEM BACKUP | SEPARATE STORAGE FOR CRITICAL INFORMATION
  • FedRAMP Baseline Membership CP-9 (3):
  • MODERATE
  • HIGH

The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

There are no FedRAMP-specific requirements if this control is used for a HIGH Impact system.


Supplemental Guidance:

Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations.

RELATED CONTROLS: CP-9 (3)

CP-9 (4) INFORMATION SYSTEM BACKUP | PROTECTION FROM UNAUTHORIZED MODIFICATION

[Withdrawn: Incorporated into CP-9]. (See above.)

CP-9 (5) INFORMATION SYSTEM BACKUP | TRANSFER TO ALTERNATE STORAGE SITE
  • FedRAMP Baseline Membership CP-9 (5):
  • HIGH

The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

The organization transfers information system backup information to the alternate storage site time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA.

Supplemental Guidance:

Information system backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media.

CP-9 (6) INFORMATION SYSTEM BACKUP | REDUNDANT SECONDARY SYSTEM

The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.

Supplemental Guidance: NONE

RELATED CONTROLS: CP-9 (6)

CP-9 (7) INFORMATION SYSTEM BACKUP | DUAL AUTHORIZATION

The organization enforces dual authorization for the deletion or destruction of [Assignment: organization-defined backup information].

Supplemental Guidance:

Dual authorization ensures that the deletion or destruction of backup information cannot occur unless two qualified individuals carry out the task. Individuals deleting/destroying backup information possess sufficient skills/expertise to determine if the proposed deletion/destruction of backup information reflects organizational policies and procedures. Dual authorization may also be known as two-person control.

RELATED CONTROLS: CP-9 (7)

REFERENCES:

  • NIST Special Publication 800-34