CP-9

CP-9 INFORMATION SYSTEM BACKUP

Overview

Number	Title	Impact	Priority	Subject Area
CP-9	Information System Backup	LOW	P1	Contingency Planning

Instructions
The organization: CP-9a. Conducts backups of user-level information contained in the information system Assignment: organization-defined frequency consistent with recovery time and recovery point objectives; CP-9b. Conducts backups of system-level information contained in the information system Assignment: organization-defined frequency consistent with recovery time and recovery point objectives; CP-9c. Conducts backups of information system documentation including security-related documentation Assignment: organization-defined frequency consistent with recovery time and recovery point objectives; and CP-9d. Protects the confidentiality, integrity, and availability of backup information at storage locations.

Instructions

The organization:

CP-9a.

Conducts backups of user-level information contained in the information system Assignment: organization-defined frequency consistent with recovery time and recovery point objectives;

CP-9b.

Conducts backups of system-level information contained in the information system Assignment: organization-defined frequency consistent with recovery time and recovery point objectives;

CP-9c.

Conducts backups of information system documentation including security-related documentation Assignment: organization-defined frequency consistent with recovery time and recovery point objectives; and

CP-9d.

Protects the confidentiality, integrity, and availability of backup information at storage locations.

Guidance
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.

Guidance

System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.

Enhancements

CP-9 (1) Testing For Reliability / Integrity

MODERATE

The organization tests backup information Assignment: organization-defined frequency to verify media reliability and information integrity.

CP-9 (2) Test Restoration Using Sampling

HIGH

The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.

CP-9 (3) Separate Storage For Critical Information

HIGH

Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations.

The organization stores backup copies of Assignment: organization-defined critical information system software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the operational system.

CP-9 (4) Protection From Unauthorized Modification

Withdrawn: Incorporated into CP-9.

CP-9 (5) Transfer To Alternate Storage Site

HIGH

Information system backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media.

The organization transfers information system backup information to the alternate storage site Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives.

CP-9 (6) Redundant Secondary System

The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.

CP-9 (7) Dual Authorization

Dual authorization ensures that the deletion or destruction of backup information cannot occur unless two qualified individuals carry out the task. Individuals deleting/destroying backup information possess sufficient skills/expertise to determine if the proposed deletion/destruction of backup information reflects organizational policies and procedures. Dual authorization may also be known as two-person control.

The organization enforces dual authorization for the deletion or destruction of Assignment: organization-defined backup information.