CP-9 (3) Information System Backup | Separate Storage for Critical Information (M) (H)

This page is classified as INTERNAL.

NIST 800-53 (r4) Control:

The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.

NIST 800-53 (r4) Supplemental Guidance:

Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations. Related controls: CM-2, CM-8.

NIST 800-53 (r5) Discussion:

Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components. Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire rated containers.

38North Guidance:

Meets Minimum Requirement:

Critical information system software and security information must be identified and listed.
A copy of the organization's CP demonstrating the copies of critical components are stored in a separate facility or a fire-rated container (see PE-13).

Best Practice:

TBD.

Unofficial FedRAMP Guidance: None.

Assessment Evidence:

Provide the list of critical information software and security information.
Provide the CP, highlighting storage of the critical information in a separate facility or fire-safe container.

CSP Implementation Tips:

Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD

Page updated

Report abuse