Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.
CP-7 (a) Additional FedRAMP Requirements and Guidance: The service provider defines a time period consistent with the recovery time objectives and business impact analysis.
NIST 800-53 (r4) Supplemental Guidance:
Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6.
References: NIST Special Publication 800-34.
NIST 800-53 (r5) Discussion:
Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems.
38North Guidance:
Meets Minimum Requirement:
The organization must establish and configure an alternate processing site in a separate cloud region(s) from the primary processing site to ensure the continuation of secure system operation. The organization should consider the alternate processing site based on customer isolation and availability requirements (if supporting a customer with stringent requirements).
Ensure the distance between the primary and alternate site are not affected by the same hazards (e.g., power outage, storms, etc.).
Establish and define an RTO for the alternate processing site (e.g., hot, warm, cold site).
Customer applications must be able to failover and maintain production workloads at an alternate site within the agreements defined with the customer in an SLA based on the RTO/RPO for the application.
Organization is responsible for all business continuity / disaster recovery at the workload layers including the backup and restoration of the components.
CP activities must consider all dependencies within the supply chain such as dependence on cloud providers, any third-party external services and their SLAs, etc.
Ensure that the alternate processing site has equivalent physical and logical security safeguards as the primary processing site.
Best Practice:
TBD.
Unofficial FedRAMP Guidance:
The CSP must define a time-period consistent with RTOs and the BIA.
Assessment Evidence:
Alternate processing site agreements.
Backup schedule and configuration showing backups are available at an alternate processing site that is geographically distributed in accordance with customer requirements in SLAs and RTOs are being met.
CP documentation including supply chain dependencies and associated outages, faults, or delays.
Evidence that logical and physical security safeguards are implemented at the alternate site and are equivalent to the primary site.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse