Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Conducts backups of user-level information contained in the information system [FedRAMP Assignment: (L)(M)(H) daily incremental; weekly full];
b. Conducts backups of system-level information contained in the information system [FedRAMP Assignment: (L)(M)(H) daily incremental; weekly full];
c. Conducts backups of information system documentation including security-related documentation [FedRAMP Assignment: (L)(M)(H) daily incremental; weekly full]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
CP-9 Additional FedRAMP Requirements and Guidance: The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.
CP-9 (a) Additional FedRAMP Requirements and Guidance: The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.
CP-9 (b) Additional FedRAMP Requirements and Guidance: The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.
CP-9 (c) Additional FedRAMP Requirements and Guidance: The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.
NIST 800-53 (r4) Supplemental Guidance:
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the
scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13.
References: NIST Special Publication 800-34.
NIST 800-53 (r5) Discussion:
System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.
38North Guidance:
Meets Minimum Requirement:
Configure backup service to backup and restore user-level information contained in the information system. Perform daily incremental and weekly full backups of user-level information.
System-level information includes, for example, system-state information, operating system and application software, and licenses.
User-level information includes any information other than system-level information (e.g., AD settings, user accounts, groups, etc.).
System security-related documentation is protected, maintained and accessible based on RBAC (e.g., SSP, CP, IRP, CMP, runbooks, secure code documentation, etc.).
All backup information must be protected using encryption mechanisms (FIPS validated modules) and redundancy to ensure that the confidentiality, integrity, and availability of the backed up information is indeed in place.
Best Practice:
TBD.
Unofficial FedRAMP Guidance:
The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.
The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.
The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.
The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.
Assessment Evidence:
Provide the following documentation:
User-level backup logs and backup schedule for user-level backups.
System-level backup logs and backup schedule for system-level backups.
System documentation backup logs and backup schedule for system documentation backup logs if it is not stored in GHE.
List of personnel with access to backup logs and assigned privileges to modify or delete backup logs.
Configurations for data at rest encryption implemented for backup information.
CP documents that include information for a schedule for when/how backups are conducted for user-level, system-level, and information system security-related documentation.
User-level backups: Evidence that service backup commitments are documented in their service description and are met as part of the contractual terms of service (e.g., backup schedules, example backup logs, etc.).
System-level backups: Evidence that RPOs are met for data that are backed up and is documented in a CP document or equivalent (e.g., backup schedules, example backup logs, etc.).
Provide proof of failed backups being successfully completed including the monitoring of backups.
List of personnel with access to backup logs and privileges to modify or delete backup logs (including monthly/quarterly access reviews according to AC-2).
Configurations for back-up implementations for backup information.
CSP Implementation Tips:
Amazon Web Services (AWS):
Place backups in different AWS regions and/or availability zones (AZs).
Make sure to encrypt backups at rest and in transit. Turn on S3 bucket encryption for backup S3 buckets.
AWS S3 Replication service can help implement a backup solution. By enabling S3 buckets replication, AWS will automatically copy the content of one bucket into another bucket, that an be in the same or different AWS account.
EC2 instances can be backed up and moved across regions using EBS volume snapshots.
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse