Back to Control Explorer
RE.3.139
Content
Control Acronym
RE
Family
Recovery
CMMC Level
3
800-171 Control #
N/A
CMMC Description
Regularly perform complete, comprehensive, and resilient data backups as organizationally defined.
CMMC Clarification
Ensure systems and data are backed up at an interval that enables an organization to restore the system or data in accordance with business requirements. A complete backup ensures that all of the files necessary to reconstruct a system are backed up. Comprehensive backups cover all of the systems defined by the organization as necessary for business effectiveness and/or continuity. You should complete the backups based on a regular schedule that satisfies the needs of your organization. Ensure that your backups are resilient to physical disaster and malicious attack (e.g., ransomware). One approach is to store at least one system backup off-site and offline. Example You are in charge of IT operations for your organization. As part of your responsibilities, you manage the system that performs backups of your systems' data. You do this to meet the business objectives of your organization. Meeting these objectives will help you manage the loss of data, data availability, or the integrity of data in the event of a cyber-incident. For example, you may conduct incremental backups nightly and full system backups every Friday evening after business hours. You store your full system backups offline at a different location than your other systems. Doing this provides added protection of your backups from a cyber-event or physical disaster that may impact your organization.
800-171 Description
800-171 Discussion
N/A
Other Source Discussion
CIS CONTROLS V7.1 The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it. When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted data. When the attackers are discovered, it can be extremely difficult for organizations without a trustworthy data recovery capability to remove all aspects of the attacker’s presence on the machine. This practice is based on the following CIS controls: ● 10.1 Ensure that all system data is automatically backed up on a regular basis. ● 10.2 Ensure that all of the organization’s key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. ● 10.5 Ensure that all backups have at least one offline (i.e., not accessible via a network connection) backup destination.
CIS Control References
CIS Controls v7.1 10.1, 10.2, 10.5
NIST 800-53 Control Ref.
NIST 800-53 Rev 4 CP-9, CP-9(3)
CMMC Derived
NIST CSF Control References
NIST 800-171 References
Applicable FAR Clause
NIST CSF Control Reference
CERT RMM Reference
CERT RMM v1.2 KIM:SG6.SP1
Modification of NIST 800-171B Reference
NIST 800-171B Reference
UK NCSCCyber Reference
AS ACSC Reference
Sub-Criterias
Assessment Sub-Criteria 1
RE.3.139.[a] the organization automates its backups where feasible;
Assessment Sub-Criteria 2
RE.3.139.[c] backup schedules and selection lists reflect documented organization requirements; and
Assessment Sub-Criteria 3
RE.3.139.[b] the organization has defined its requirements for the length of time needed to restore resources from backup (recovery time objectives (RTO)), the amount of time between backups (recovery point objectives (RPO)), and the length of time backups need to be retained;
Assessment Sub-Criteria 4
RE.3.139.[d] key systems are backed up in a manner that enables rapid recovery, such as imaging.