NIST 800-53 REV 5 • CONTINGENCY PLANNING

CP-9 — System Backup

Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }}; Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }}; Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and Protect the confidentiality, integrity, and availability of backup information.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

Practitioner Notes

System backup means regularly copying your data, configurations, and system images so you can restore them after a failure. Without good backups, a ransomware attack or hardware failure could be fatal to your business.

Example 1: Configure Veeam Backup & Replication to perform daily incremental backups and weekly full backups of all critical servers, storing copies both locally and in offsite cloud storage.

Example 2: Use Azure Backup to protect your cloud VMs, SQL databases, and file shares with automated backup schedules and retention policies that keep daily backups for 30 days and monthly backups for one year.