Skip to main content

💼 CP-9 System Backup (L)(M)(H)

  • Contextual name: 💼 CP-9 System Backup (L)(M)(H)
  • ID: /frameworks/fedramp-high-security-controls/cp/09
  • Located in: 💼 Contingency Planning

Description

a. Conduct backups of user-level information contained in [Assignment: organization-defined system components][FedRAMP Assignment: daily incremental; weekly full];

b. Conduct backups of system-level information contained in the system [FedRAMP Assignment: daily incremental; weekly full];

c. Conduct backups of system documentation, including security- and privacy-related documentation [FedRAMP Assignment: daily incremental; weekly full]; and

d. Protect the confidentiality, integrity, and availability of backup information.

CP-9 Additional FedRAMP Requirements and Guidance:

Requirement: The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

(a) Requirement: The service provider maintains at least three (3) backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.

(b) Requirement: The service provider maintains at least three (3) backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.

(c) Requirement: The service provider maintains at least three (3) backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.

Similar

  • Sections
    • /frameworks/nist-sp-800-53-r5/cp/09
  • Internal
    • ID: dec-c-bf2e90c5

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlags
💼 NIST SP 800-53 Revision 5 → 💼 CP-9 System Backup84

Similar Sections (Give Policies To)

SectionSub SectionsInternal RulesPoliciesFlags
💼 FedRAMP Low Security Controls → 💼 CP-9 System Backup (L)(M)(H)7
💼 FedRAMP Moderate Security Controls → 💼 CP-9 System Backup (L)(M)(H)28

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlags
💼 CP-9(1) Testing for Reliability and Integrity (M)(H)
💼 CP-9(2) Test Restoration Using Sampling (H)
💼 CP-9(3) Separate Storage for Critical Information (H)
💼 CP-9(5) Transfer to Alternate Storage Site (H)
💼 CP-9(8) Cryptographic Protection (M)(H)1

Policies (7)

PolicyLogic CountFlags
📝 AWS CloudTrail Log File Validation is not enabled 🟢1🟢 x6
📝 AWS DynamoDB Table Point In Time Recovery is not enabled 🟢1🟢 x6
📝 AWS S3 Bucket Lifecycle Configuration is not enabled 🟢1🟢 x6
📝 AWS S3 Bucket Versioning is not enabled 🟢1🟢 x6
📝 Azure PostgreSQL Flexible Server connection_throttle.enable Parameter is not set to ON 🟢1🟢 x6
📝 Azure Storage Blob Containers Soft Delete is not enabled 🟢1🟢 x6
📝 Google Cloud SQL Instance Automated Backups are not configured 🟢1🟢 x6

Internal Rules

RulePoliciesFlags
✉️ dec-x-2a9e52551
✉️ dec-x-850beea81
✉️ dec-x-a8281d051
✉️ dec-x-b1e1a4941