CP-9 System Backup
Control
a.
Conduct backups of user-level information contained in [Assignment: organization-defined system components] [daily incremental; weekly full];
b.
Conduct backups of system-level information contained in the system [daily incremental; weekly full];
c.
Conduct backups of system documentation, including security- and privacy-related documentation [daily incremental; weekly full] ; and
d.
Protect the confidentiality, integrity, and availability of backup information.
Discussion
System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8 . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.
FedRAMP-Defined Assignment / Selection Parameters
- CP-9 (a) [daily incremental; weekly full] - frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;
- CP-9 (b) [daily incremental; weekly full] - frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;
- CP-9 (c) [daily incremental; weekly full] - frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;