STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

CP-9

Contingency PlanningRev 5organization

System Backup

Baselines:LowModerateHigh

Control Statement

a. Conduct backups of user-level information contained in [Assignment: system components] [Assignment: frequency]; b. Conduct backups of system-level information contained in the system [Assignment: frequency]; c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: frequency] ; and d. Protect the confidentiality, integrity, and availability of backup information.

Supplemental Guidance

System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

Related Controls (10)

CP-2CP-6CP-10MP-4MP-5SC-8SC-12SC-13SI-4SI-13

CCI Identifiers (12)

CCI-000537Conduct backups of system-level information contained in the system per organization-defined frequency that is consistent with recovery time and recovery point objectives.CCI-000538Defines the frequency of conducting system documentation backups, including security-related documentation, to support recovery time objectives and recovery point objectives.CCI-000539Conduct backups of system documentation, including security-related documentation, per an organization-defined frequency that is consistent with recovery time and recovery point objectives.CCI-000535Conduct backups of user-level information contained in organization-defined system components per organization-defined frequency that is consistent with recovery time and recovery point objectives.CCI-000534Defines the frequency of conducting user-level information backups to support recovery time objectives and recovery point objectives.CCI-000540The organization protects the confidentiality, integrity, and availability of backup information at storage locations.CCI-000536Defines the frequency of conducting system-level information backups to support recovery time objectives and recovery point objectives.

Linked STIG Checks (52)

Across 39 STIGs. Click to expand.

CCI-004023
Protect integrity of backup information.
CCI-004020Defines the system components to conduct backups of user level information.
CCI-004022Protect the confidentiality of backup information.
CCI-004024Protect the availability of backup information.
CCI-004021Conduct backups of system documentation, including privacy-related documentation, per an organization-defined frequency that is consistent with recovery time and recovery point objectives.