NIST 800-53 REV 5 • CONTINGENCY PLANNING

CP-6(2)Recovery Time and Recovery Point Objectives

Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Organizations establish recovery time and recovery point objectives as part of contingency planning. Configuration of the alternate storage site includes physical facilities and the systems supporting recovery operations that ensure accessibility and correct execution.

Practitioner Notes

This enhancement requires your alternate storage site to support your Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) — your backups need to be recent enough and accessible fast enough.

Example 1: Configure Azure Site Recovery with a replication frequency of 15 minutes to meet a 15-minute RPO, and verify that your secondary region can spin up VMs within your 4-hour RTO.

Example 2: Use Veeam backup copy jobs to replicate backups to your offsite location every hour, ensuring data loss is limited to no more than one hour of work (1-hour RPO).

More Contingency Planning Controls

CP-1 Policy and Procedures CP-2 Contingency Plan CP-2(1) Coordinate with Related Plans CP-2(2) Capacity Planning