CP-9 System Backup
Control
a.
Conduct backups of user-level information contained in [Assignment: organization-defined system components] [daily incremental; weekly full];
b.
Conduct backups of system-level information contained in the system [daily incremental; weekly full];
c.
Conduct backups of system documentation, including security- and privacy-related documentation [daily incremental; weekly full] ; and
d.
Protect the confidentiality, integrity, and availability of backup information.
Requirement:
The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.
(a) Requirement:
The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.
(b) Requirement:
The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.
(c) Requirement:
The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.
Discussion
System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8 . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.
FedRAMP-Defined Assignment / Selection Parameters
- CP-9 (a) [daily incremental; weekly full] - frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;
- CP-9 (b) [daily incremental; weekly full] - frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;
- CP-9 (c) [daily incremental; weekly full] - frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;