Back to Control Explorer



Control Acronym




CMMC Level


800-171 Control #


CMMC Description

Regularly perform complete, comprehensive, and resilient data backups as organizationally defined.

CMMC Clarification

Ensure systems and data are backed up at an interval that enables an organization to restore the system or data in accordance with business requirements. A complete backup ensures that all of the files necessary to reconstruct a system are backed up. Comprehensive backups cover all of the systems defined by the organization as necessary for business effectiveness and/or continuity. You should complete the backups based on a regular schedule that satisfies the needs of your organization. Ensure that your backups are resilient to physical disaster and malicious attack (e.g., ransomware). One approach is to store at least one system backup off-site and offline. Example You are in charge of IT operations for your organization. As part of your responsibilities, you manage the system that performs backups of your systems' data. You do this to meet the business objectives of your organization. Meeting these objectives will help you manage the loss of data, data availability, or the integrity of data in the event of a cyber-incident. For example, you may conduct incremental backups nightly and full system backups every Friday evening after business hours. You store your full system backups offline at a different location than your other systems. Doing this provides added protection of your backups from a cyber-event or physical disaster that may impact your organization.

800-171 Description

800-171 Discussion


Other Source Discussion

CIS CONTROLS V7.1 The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it. When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted data. When the attackers are discovered, it can be extremely difficult for organizations without a trustworthy data recovery capability to remove all aspects of the attacker’s presence on the machine. This practice is based on the following CIS controls: ● 10.1 Ensure that all system data is automatically backed up on a regular basis. ● 10.2 Ensure that all of the organization’s key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. ● 10.5 Ensure that all backups have at least one offline (i.e., not accessible via a network connection) backup destination.

CIS Control References

CIS Controls v7.1 10.1, 10.2, 10.5

NIST 800-53 Control Ref.

NIST 800-53 Rev 4 CP-9, CP-9(3)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

RE.3.139.[a] the organization automates its backups where feasible;

Assessment Sub-Criteria 2

RE.3.139.[c] backup schedules and selection lists reflect documented organization requirements; and

Assessment Sub-Criteria 3

RE.3.139.[b] the organization has defined its requirements for the length of time needed to restore resources from backup (recovery time objectives (RTO)), the amount of time between backups (recovery point objectives (RPO)), and the length of time backups need to be retained;

Assessment Sub-Criteria 4

RE.3.139.[d] key systems are backed up in a manner that enables rapid recovery, such as imaging.

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15