CP-9—Information System Backup

PBMM (P1)

Secret (P1)

Operational

>Control Description

(A) The organization conducts backups of user-level information contained in the information system ⚙organization-defined frequency consistent with recovery time and recovery point objectives. (B) The organization conducts backups of system-level information contained in the information system ⚙organization-defined frequency consistent with recovery time and recovery point objectives. (C) The organization conducts backups of information system documentation including security-related documentation ⚙organization-defined frequency consistent with recovery time and recovery point objectives. (D) The organization protects the confidentiality, integrity, and availability of backup information at storage locations. (AA) The organization determines retention periods for essential business information and archived backups.

>Supplemental Guidance

System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes.

Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13

>Tailoring Guidance

Incremental daily backups and full weekly backups can be performed.

>Profile-Specific Parameters

(A) frequency [at a frequency no longer than daily]

Ask AI

Configure your API key to use AI features.