This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.
NIST 800-53 (r4) Supplemental Guidance:
Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3.
NIST 800-53 (r5) Discussion:
Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant.
38North Guidance:
Meets Minimum Requirement:
The organization must establish and configure an alternate storage site in a geographically separate Cloud region(s) based on customer isolation and availability requirements. There must be sufficient physical separation from the primary and alternate site with the same set of logical and physical security safeguards configured and implemented to reduce the likelihood of natural disasters, civil unrest, power outages, or physical network outages affecting both regions at once.
Best Practice:
It is recommended that the alternate storage site is located in a separate regional location that will not be affected in the event of an area-wide disruption or disaster and outline explicit mitigation actions (e.g., replicating backup data to other alternate storage sites, etc.).
Unofficial FedRAMP Guidance: None.
Assessment Evidence:
Data Back Ups and Restore procedures
Alternate storage site agreements.
Contingency Planning Policy
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD