Level 5 CMMC - CMMC Practices

RE.2.137  

Reference: CMMC 1.02

Family: RE

Level Introduced: 2

Practice:
Regularly perform and test data back-ups.

CMMC Clarification:
Back up your organizational data so you can recover it if a hardware failure, software failure, or malware infection occurs. You can schedule backups to run automatically or manually. Many operating systems include a built-in feature to perform data backups.

After you create a backup, it is important to test it on a regular basis. When you test a backup, verify that the operating system, applications, and data are intact and functional. If you test data backups regularly, you will be in a better position to recover systems and files more efficiently if a failure or infection occurs.

Example
You are responsible for IT in your organization. One of your jobs is to make sure you can restore data if a serious event happens, such as a disaster, a hard drive failure, or a software problem. You have a backup procedure in place where you back up all your data weekly on a backup server. You set this up to occur automatically each weekend because it takes a lot of resources to perform a backup. You verify your backups every month. This ensures that your data is correct. It also confirms that you can use the data if you need to recover your systems.

Backups are used to recover data in the event of a hardware or software failure. Backups should be performed regularly based on an organizational defined frequency. They should be tested regularly to ensure they are performing as expected.

Source: CMMC v1.02

CP-9

INFORMATION SYSTEM BACKUP

Description:
The organization:
    a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
    b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
    c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
    d. Protects the confidentiality, integrity, and availability of backup information at storage locations.

Supplemental Guidance:
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02