>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

CP-9 (03)System Backup | Separate Storage for Critical Information

High

>Control Description

Store backup copies of organization-defined critical system software and other security-related information in a separate facility or in a fire rated container that is not collocated with the operational system.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components.

Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire rated containers.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CP-9(3) (Separate Storage For Critical Information)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CP-9(3)?
  • How frequently is the CP-9(3) policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures CP-9(3) requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CP-9(3) requirements.
  • What automated tools, systems, or technologies are deployed to implement CP-9(3)?
  • How is CP-9(3) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CP-9(3) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CP-9(3)?
  • What audit logs, records, reports, or monitoring data validate CP-9(3) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CP-9(3) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CP-9(3) compliance?

Ask AI

Configure your API key to use AI features.