NIST 800-53 REV 5 • CONTINGENCY PLANNING
CP-9(3) — Separate Storage for Critical Information
Store backup copies of {{ insert: param, cp-09.03_odp }} in a separate facility or in a fire rated container that is not collocated with the operational system.
Supplemental Guidance
Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components. Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire rated containers.
Practitioner Notes
This enhancement requires you to store backups of critical information at a separate location from the primary system — so a single event cannot destroy both your live data and your backups.
Example 1: Replicate your most critical backups to a different Azure region or AWS region using backup copy jobs that run automatically after each primary backup completes.
Example 2: Store encrypted backup copies of your most critical databases at a secure offsite facility, physically separated from your primary data center by at least 100 miles.