CMMC Practice RE.3.139

Regularly perform complete, comprehensive, and resilient data backups, as organizationally defined.


CMMC Version 1.02, pg. 198

Bold Coast Security Guidance

Resilience represents a mature implementation of data backups. It includes more enhancements that enable an organization to quickly restore system and processes when events or incidents may cause system disruption. Resilience in practice means an organization has likely completed a Business Impact Analysis (BIA) to determine which business processes are more critical to success and critical to operations. Once business processes are identified, then the systems on which they are dependent are associated, and continuity procedures are created. Recovery Time Objectives (RTO) are defined as the maximum amount of time a process can be unavailable before significant loss may occur. Recovery Point Objectives (RPO) define how much data can be lost before significant damage to an organization occurs. These two measurements drive disaster recovery efforts. The business processes identified as most critical are recovered first. For Level 1 compliance, there must be a consistent and mature practice in place to establish resilience for an organization. This means backups, and testing of backups. It also includes securing backups logically and physically. Additionally, it includes the organization knowing which business processes are most important, and which systems those processes are dependent upon. Finally, the concept of "air gapping" comes into play at this maturity level. "Air gapping" is the practice of backing up data, then ensuring that data is not reachable by malicious software, e.g., ransomware, or hackers. For Level 2 compliance, there must be a formal written policy requiring the practice, and for Level 3, a comprehensive management plan must be in place to guide implementation and demonstrate how the organization achieves its policy requirements.

Discussion From Source

CIS CONTROLS V7.1 The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it. When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted data. When the attackers are discovered, it can be extremely difficult for organizations without a trustworthy data recovery capability to remove all aspects of the attacker’s presence on the machine. This practice is based on the following CIS controls: 10.1 Ensure that all system data is automatically backed up on a regular basis. 10.2 Ensure that all of the organization’s key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. 10.5 Ensure that all backups have at least one offline (i.e., not accessible via a network connection) backup destination.