Back to Control Explorer



Control Acronym




CMMC Level


800-171 Control #


CMMC Description

Regularly perform and test data backups.

CMMC Clarification

Back up your organizational data so you can recover it if a hardware failure, software failure, or malware infection occurs. You can schedule backups to run automatically or manually. Many operating systems include a built-in feature to perform data backups. After you create a backup, it is important to test it on a regular basis. When you test a backup, verify that the operating system, applications, and data are intact and functional. If you test data backups regularly, you will be in a better position to recover systems and files more efficiently if a failure or infection occurs. Example You are responsible for IT in your organization. One of your jobs is to make sure you can restore data if a serious event happens, such as a disaster, a hard drive failure, or a software problem. You have a backup procedure in place where you back up all your data weekly on a backup server. You set this up to occur automatically each weekend because it takes a lot of resources to perform a backup. You verify your backups every month. This ensures that your data is correct. It also confirms that you can use the data if you need to recover your systems.

800-171 Description

800-171 Discussion


Other Source Discussion

Backups are used to recover data in the event of a hardware or software failure. Backups should be performed regularly based on an organizational defined frequency. They should be tested regularly to ensure they are performing as expected.

CIS Control References

CIS Controls v7.1 10.1, 10.3

NIST 800-53 Control Ref.

NIST 800-53 Rev 4 CP-9

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference


CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

AU ACSC Essential Eight


Assessment Sub-Criteria 1

RE.2.137.[a] a frequency to perform backups has been defined;

Assessment Sub-Criteria 2

RE.2.137.[b] backups are performed according to the defined backup schedule;

Assessment Sub-Criteria 3

RE.2.137.[c] a frequency to test backups has been defined;

Assessment Sub-Criteria 4

RE.2.137.[d] backups are tested according to a defined test schedule;

Assessment Sub-Criteria 5

RE.2.137.[e] tests of backups include performing a restore that ensures a successful recovery; and

Assessment Sub-Criteria 6

RE.2.137.[f] backup data is protected from a direct attack and from corruption by an attack against the primary data source.

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15