Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
NIST 800-53 (r4) Supplemental Guidance:
Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup
media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4.
References: NIST Special Publication 800-34.
NIST 800-53 (r5) Discussion:
Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems.
38North Guidance:
Meets Minimum Requirement:
Organization must establish an alternate storage site in a geographically separate cloud region/AZ from the primary storage site. The organization should consider the alternate storage site based on customer isolation and availability requirements (if supporting a customer with stringent requirements).
The organization must ensure there is sufficient physical datacenter separation to reduce the likelihood of natural disasters, civil unrest, power outages, or physical network outages affecting both regions at once.
The organization must verify and validate that the CP requirements are met at the alternate storage site, including reserving storage capacity in an alternate region ensuring storage and retrieval capabilities can be accomplished.
Organization is responsible for all business continuity / disaster recovery at the workload layers including the backup and restoration of the components virtual appliances, virtual machines, and content libraries.
Ensure the alternate storage site provides logical and physical security safeguards that are equivalent to that of the primary storage site.
Best Practice:
TBD.
Unofficial FedRAMP Guidance:
Assessment Evidence:
CP document or equivalent that identifies an alternate processing site which is geographically separate from primary processing site.
Data backups and data restoration procedures that includes information about the alternate storage site.
Alternate storage site agreements.
Evidence of logical and physical security safeguards configured/implemented at the alternate storage site.
Backup schedule and configuration screen shots showing backups are available at an alternate storage site (e.g., daily/weekly/monthly incremental/full backups).
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse