CP-9—System Backup
>Control Description
Conduct backups of user-level information contained in ⚙organization-defined system components ⚙organization-defined frequency consistent with recovery time and recovery point objectives;
Conduct backups of system-level information contained in the system ⚙organization-defined frequency consistent with recovery time and recovery point objectives;
Conduct backups of system documentation, including security- and privacy-related documentation ⚙organization-defined frequency consistent with recovery time and recovery point objectives; and
Protect the confidentiality, integrity, and availability of backup information.
>FedRAMP Baseline Requirements
Parameter Values
Additional Requirements and Guidance
CP-9 Requirement: The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check. CP-9 (a) Requirement: The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative. CP-9 (b) Requirement: The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative. CP-9 (c) Requirement: The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.
>Discussion
System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes.
Protection of system backup information while in transit is addressed by MP-5 and SC-8. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information).
Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.
>Cross-Framework Mappings
>Programmatic Queries
Related Services
CLI Commands
aws backup list-backup-plansaws backup list-backup-vaultsaws ec2 describe-snapshots --owner-ids selfaws rds describe-db-snapshots>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of CP-9 (System Backup)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring CP-9?
- •How frequently is the CP-9 policy reviewed and updated, and what triggers policy changes?
- •What governance structure ensures CP-9 requirements are consistently applied across all systems?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce CP-9 requirements.
- •What automated tools, systems, or technologies are deployed to implement CP-9?
- •How is CP-9 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce CP-9 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of CP-9?
- •What audit logs, records, reports, or monitoring data validate CP-9 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of CP-9 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate CP-9 compliance?
Ask AI
Configure your API key to use AI features.