CP-09 System Backup
a. Conduct backups of user-level information contained in cp-09_odp.01 cp-09_odp.02;
b. Conduct backups of system-level information contained in the system cp-09_odp.03;
c. Conduct backups of system documentation, including security- and privacy-related documentation cp-09_odp.04 ; and
d. Protect the confidentiality, integrity, and availability of backup information.
System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8 . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.
- FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
- FIPS 186-4 National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4.
- SP 800-34 Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010.
- SP 800-130 Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130.
- SP 800-152 Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152.
Control Enhancements 8
- CP-09(01) Testing for Reliability and Integrity L M H P
- CP-09(02) Test Restoration Using Sampling L M H P
- CP-09(03) Separate Storage for Critical Information L M H P
- CP-09(04) Protection from Unauthorized Modification
- CP-09(05) Transfer to Alternate Storage Site L M H P
- CP-09(06) Redundant Secondary System L M H P
- CP-09(07) Dual Authorization for Deletion or Destruction L M H P
- CP-09(08) Cryptographic Protection L M H P
Related controls 10
- CP-02 Contingency Plan L M H P
- CP-06 Alternate Storage Site L M H P
- CP-10 System Recovery and Reconstitution L M H P
- MP-04 Media Storage L M H P
- MP-05 Media Transport L M H P
- SC-08 Transmission Confidentiality and Integrity L M H P
- SC-12 Cryptographic Key Establishment and Management L M H P
- SC-13 Cryptographic Protection L M H P
- SI-04 System Monitoring L M H P
- SI-13 Predictable Failure Prevention L M H P