HOME

CP-9

CP-9 H M L
Description

The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.

FedRAMP
  • H CP-9 (a) [daily incremental; weekly full] CP-9 (b) [daily incremental; weekly full] CP-9 (c) [daily incremental; weekly full]
  • M CP-9 (a) [daily incremental; weekly full] CP-9 (b) [daily incremental; weekly full] CP-9 (c) [daily incremental; weekly full]
  • L CP-9 (a) [daily incremental; weekly full] CP-9 (b) [daily incremental; weekly full] CP-9 (c) [daily incremental; weekly full]
DISA Cloud Computing SRG

a. at least weekly as defined in the contingency plan
b. at least weekly and as required by system baseline configuration changes in accordance with the contingency plan
c. when created or received, when updated, and as required by system baseline configuration changes in accordance with the contingency plan

Source:
DoD RMF TAG

Supplemental Guidance

System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the
scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.

Further Guidance

CP-9 Requirement: The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.
CP-9 (a) Requirement: The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.
CP-9 (b) Requirement: The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.
CP-9 (c) Requirement: The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.

Related Controls