KSI-RPL-ABO—Aligning Backups with Objectives
Formerly KSI-RPL-03
>Control Description
>NIST 800-53 Controls
>Trust Center Components3
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express risk management through structured frameworks with measurable outputs — risk registers with treatment plans tracked to completion, risk appetite statements with explicit thresholds by category, and annual assessment results published as evidence. Risk management is demonstrated through governance artifacts and tracked decisions, not just policy documents.
Risk Management Framework
Framework expressing how risks are identified, assessed, and treated — methodology, decision criteria, and assessment schedule
Risk Register Summary
Top risks with treatment plans — evidence that risk is actively managed and tracked to resolution
Risk Appetite Statement
Risk appetite statement expressing acceptable risk thresholds by category
>Programmatic Queries
CLI Commands
aws backup list-backup-plans --query "BackupPlansList[].{Name:BackupPlanName,Id:BackupPlanId,Created:CreationDate}" --output tableaws backup list-backup-vaults --query "BackupVaultList[].{Name:BackupVaultName,Points:NumberOfRecoveryPoints,Encrypted:EncryptionKeyArn}" --output table>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Does your backup strategy cover all critical machine-based information resources — databases, object storage, configuration data, secrets, IaC state files, and container registry images?
- •Are there resources where backups are not performed because they are considered ephemeral or recoverable from code, and how is that determination documented?
- •How do you ensure backup coverage extends to all environments and regions where federal customer data is stored, including DR sites?
- •When new data stores or services are added, what process ensures they are included in the backup schedule with appropriate RPOs before going live?
Automation & Validation:
- •What automated monitoring detects backup failures, and how quickly are failures alerted and investigated?
- •How do you validate backup integrity — do you run automated restore tests to confirm backups are not corrupted and can be restored within RPO?
- •What happens if a backup job consistently misses its RPO window — is it automatically escalated, and what compensating action is taken?
- •How do you test that backups can actually restore to a functioning state, not just that backup files exist?
Inventory & Integration:
- •What backup technologies are in use (cloud-native snapshots, third-party backup tools, database-native backups), and how do they cover different resource types?
- •How does your backup inventory map to your asset inventory to confirm every critical resource has a corresponding backup policy?
- •Are backup configurations (schedules, retention, encryption, storage location) defined as code and version-controlled?
- •How do backup systems integrate with your monitoring and alerting to ensure backup health is continuously tracked?
Continuous Evidence & Schedules:
- •How do you demonstrate that backups have run successfully and on schedule for the past 90 days for all critical resources?
- •Is backup status data (last successful backup, backup size, restore test results) available via API or dashboard?
- •How frequently are backup restore tests performed, and what evidence shows each test was completed with results documented?
- •What evidence demonstrates that backup RPOs align with defined recovery objectives and that alignment is reviewed persistently?
Update History
Ask AI
Configure your API key to use AI features.