Guidance for NIST 800-171 Assessment & Compliance
cp-9(3) |
information system backup | separate storage for critical information |
||
|
assessment objective: Determine if the organization: |
||
cp-9(3)[1] |
cp-9(3)[1][a] |
defines critical information system software and other security-related information requiring backup copies to be stored in a separate facility; or |
|
cp-9(3)[1][b] |
defines critical information system software and other security-related information requiring backup copies to be stored in a fire-rated container that is not collocated with the operational system; and |
||
cp-9(3)[2] |
stores backup copies of organization-defined critical information system software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the operational system. |
||
potential assessment methods and objects: Examine: [select from: Contingency planning policy; procedures addressing information system backup; contingency plan; backup storage location(s); information system backup configurations and associated documentation; information system backup logs or records; other relevant documents or records]. Interview: [select from: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with information system backup responsibilities; organizational personnel with information security responsibilities]. |
|||
FIGURE 2: ASSESSMENT PROCEDURE FOR SECURITY CONTROL ENHANCEMENT
Recall that numbers in parentheses immediately after the base control designation (as in Figure 2) indicate the number of the control enhancement while letters in parentheses immediately after the base control designation (as in Figure 1) indicate division of the base control into separate control requirements. When further division of a control is necessary to support assessment, bracketed characters that alternate between numbers and letters (e.g., CP-9(3)[1][a], CP-9(3)[1][b]) are used with the initial bracketed character always being a number whether it follows a parenthetical letter (base control) or number (control enhancement).
The Security Content Automation Protocol (SCAP) supports the assessment process for security controls and facilitates more efficient and cost-effective assessments. SCAP is a collection of related specifications for automating the collection and representation of evidence in a standards-based format that enables interoperability between SCAP-enabled tools. The SCAP specifications define the formats by which assessment criteria, also called SCAP content, can be exchanged and provided to assessment tools. This content can be used to automate the collection and evaluation of evidence sourced from both machine- and human-oriented artifacts. SCAP also defines formats that capture and enable the exchange of results of collecting and evaluating artifacts. Typically, machine-oriented artifacts that can be collected and evaluated using SCAP pertain to mechanisms (e.g., configuration settings, installed hardware/software, operational state of countermeasures). Additionally, human-oriented artifacts, such as those that pertain to specifications and activities, can be collected using the Open Checklist Interactive Language (OCIL). OCIL is an SCAP component specification that enables the collection and representation of interview data in a standards-based format. The content-driven nature of SCAP-enabled automation solutions can support flexible and consistent assessment of security and privacy controls.
