Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.
CP-7 (1) Additional FedRAMP Requirements and Guidance: The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.
NIST 800-53 (r4) Supplemental Guidance:
Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3.
NIST 800-53 (r5) Discussion:
Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant.
38North Guidance:
Meets Minimum Requirement:
Organization must establish and configure an alternate processing site in a separate region(s) based on customer isolation and availability requirements. The organization must ensure there is sufficient physical separation to reduce the likelihood of natural disasters, civil unrest, power outages, or physical network outages affecting both regions at once.
Best Practice:
It is recommended that the alternate processing site is located in a separate regional location that will not be affected in the event of an area-wide disruption or disaster and outline explicit mitigation actions (e.g., replicating backup data to other alternate storage sites, etc.).
Unofficial FedRAMP Guidance: None.
Assessment Evidence:
Alternate processing site agreements.
Contingency Plan and Policy.
CP document that identifies an primary and alternate processing site locations which are geographically separate with backup and restoration procedures.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse