Requirement text: RE.3.139: Regularly perform complete, comprehensive, and resilient data backups, as
organizationally defined.
DISCUSSION FROM SOURCE: CIS CONTROLS V7.1
The processes and tools used to properly back up critical information with a proven
methodology for timely recovery of it.
When attackers compromise machines, they often make significant changes to
configurations and software. Sometimes attackers also make subtle alterations of data
stored on compromised machines, potentially jeopardizing organizational effectiveness with
polluted data. When the attackers are discovered, it can be extremely difficult for
organizations without a trustworthy data recovery capability to remove all aspects of the
attacker’s presence on the machine. This practice is based on the following CIS controls:
10.1 Ensure that all system data is automatically backed up on a regular basis.
10.2 Ensure that all of the organization’s key systems are backed up as a complete system,
through processes such as imaging, to enable the quick recovery of an entire system.
10.5 Ensure that all backups have at least one offline (i.e., not accessible via a network
connection) backup destination.
CMMC CLARIFICATION
Ensure systems and data are backed up at an interval that enables an organization to restore
the system or data in accordance with business requirements. A complete backup ensures
that all of the files necessary to reconstruct a system are backed up. Comprehensive backups
cover all of the systems defined by the organization as necessary for business effectiveness
and/or continuity. You should complete the backups based on a regular schedule that
satisfies the needs of your organization. Ensure that your backups are resilient to physical
disaster and malicious attack (e.g., ransomware). One approach is to store at least one
system backup off-site and offline to provide.
Example
You are in charge of IT operations for your organization. As part of your responsibilities, you
manage the system that performs backups of your systems' data. You do this to meet the
business objectives of your organization. Meeting these objectives will help you manage the
loss of data, data availability, or the integrity of data in the event of a cyber-incident. For
example, you may conduct incremental backups nightly and full system backups every
Friday evening after business hours. You store your full system backups offline at a different
location than your other systems. Doing this provides added protection of your backups
from a cyber-event or physical disaster that may impact your organization.
References
• CIS Controls v7.1 10.1, 10.2, 10.5
• CERT RMM v1.2 KIM:SG6.SP1
• NIST 800-53 Rev 4 CP-9, CP-9(3)