Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization tests backup information [FedRAMP Assignment: (M) at least annually; (H) at least monthly] to verify media reliability and information integrity.
NIST 800-53 (r4) Supplemental Guidance:
Related control: CP-4.
NIST 800-53 (r5) Discussion:
Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance.
38North Guidance:
Meets Minimum Requirement:
Perform an annual (for Moderate) and monthly (for High) functional CP test to include an element of system recovery from backup. This ensures that the Organization will have the ability to recover mission critical assets from backup, during a contingency event, and verify media reliability and information integrity.
Best Practice:
TBD.
Unofficial FedRAMP Guidance:
MODERATE baseline systems are required to test backup information at least annually and monthly for HIGH baseline systems.
Assessment Evidence:
Backup, testing and restoration procedures or equivalent documentation.
Provide the Backup Testing Report from the most recent data restore test showing that backup testing was performed consistent with the identified RPO and in accordance with Back Ups and Restore procedures.
Provide evidence that critical issues discovered during contingency plan testing (including backup testing) were addressed within 45 calendar days, following initial discovery.
Screenshots or system-generated reports validating that backup restoration testing has completed successfully and in accordance with backup and restoration procedures.
Evidence to show any failed back-ups were completed successfully.
Report from most recent data restore test showing that backup testing was performed consistent with the identified RPO and in accordance with Back Ups and Restore procedures.
Contingency planning Policy.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse