Level 5 CMMC - CMMC Practices

RE.3.139  

Reference: CMMC 1.02

Family: RE

Level Introduced: 3

Practice:
Regularly perform complete, comprehensive, and resilient data back-ups as organizationally defined.

CMMC Clarification:
Ensure systems and data are backed up at an interval that enables an organization to restore the system or data in accordance with business requirements. A complete backup ensures that all of the files necessary to reconstruct a system are backed up. Comprehensive backups cover all of the systems defined by the organization as necessary for business effectiveness and/or continuity. You should complete the backups based on a regular schedule that satisfies the needs of your organization. Ensure that your backups are resilient to physical disaster and malicious attack (e.g., ransomware). One approach is to store at least one system backup off-site and offline.

Example
You are in charge of IT operations for your organization. As part of your responsibilities, you manage the system that performs backups of your systems' data. You do this to meet the business objectives of your organization. Meeting these objectives will help you manage the loss of data, data availability, or the integrity of data in the event of a cyber-incident. For example, you may conduct incremental backups nightly and full system backups every Friday evening after business hours. You store your full system backups offline at a different location than your other systems. Doing this provides added protection of your backups from a cyber-event or physical disaster that may impact your organization.

CP-9

INFORMATION SYSTEM BACKUP

Description:
The organization:
    a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
    b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
    c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
    d. Protects the confidentiality, integrity, and availability of backup information at storage locations.

Supplemental Guidance:
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13.

CP-9 (3)

INFORMATION SYSTEM BACKUP | SEPARATE STORAGE FOR CRITICAL INFORMATION

Description:
The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.

Supplemental Guidance:
Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations. Related controls: CM-2, CM-8.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02