NIST 800-53 r5 · Controls catalogue · Family CP
CP-9System Backup
Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }}; Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }}; Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and Protect the confidentiality, integrity, and availability of backup information.
Last updated: 19 May 2026 20:20 UTC
Implementations targeting this control (12)
- aws-config-elasticache-redis-cluster-automatic-backup-check Elasticache Redis Cluster Automatic Backup Check AWS::ElastiCache::CacheCluster partial recover enforce
- aws-config-db-instance-backup-enabled Db Instance Backup Enabled AWS::RDS::DBInstance partial recover enforce
- aws-config-dynamodb-in-backup-plan Dynamodb In Backup Plan AWS::DynamoDB::Table partial recover enforce
- aws-config-dynamodb-pitr-enabled Dynamodb Pitr Enabled AWS::DynamoDB::Table partial recover enforce
- aws-config-ebs-in-backup-plan Ebs In Backup Plan AWS::EC2::Volume partial recover enforce
- aws-config-ebs-optimized-instance Ebs Optimized Instance AWS::EC2::Volume partial protect enforce
- aws-config-efs-in-backup-plan Efs In Backup Plan AWS::EFS::FileSystem partial recover enforce
- aws-config-redshift-backup-enabled Redshift Backup Enabled AWS::Redshift::Cluster partial recover enforce
- aws-config-redshift-cluster-maintenancesettings-check Redshift Cluster Maintenancesettings Check AWS::Redshift::Cluster partial protect enforce
- aws-config-s3-bucket-replication-enabled S3 Bucket Replication Enabled AWS::S3::Bucket partial recover enforce
- aws-config-s3-bucket-versioning-enabled S3 Bucket Versioning Enabled AWS::S3::Bucket partial protect enforce
- aws-config-s3-version-lifecycle-policy-check S3 Version Lifecycle Policy Check AWS::S3::Bucket partial protect enforce
ATT&CK techniques this control mitigates (22)
- T1003 OS Credential Dumping Credential Access
- T1003.003 NTDS Credential Access
- T1005 Data from Local System Collection
- T1025 Data from Removable Media Collection
- T1070 Indicator Removal Stealth
- T1070.008 Clear Mailbox Data Stealth
- T1119 Automated Collection Collection
- T1485 Data Destruction Impact
- T1485.001 Lifecycle-Triggered Deletion Impact
- T1486 Data Encrypted for Impact Impact
- T1490 Inhibit System Recovery Impact
- T1491 Defacement Impact
- T1491.001 Internal Defacement Impact
- T1491.002 External Defacement Impact
- T1561 Disk Wipe Impact
- T1561.001 Disk Content Wipe Impact
- T1561.002 Disk Structure Wipe Impact
- T1565 Data Manipulation Impact
- T1565.001 Stored Data Manipulation Impact
- T1565.003 Runtime Data Manipulation Impact
- T1685.005 Clear Windows Event Logs Defense Impairment
- T1685.006 Clear Linux or Mac System Logs Defense Impairment
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,260 | Protecting confidentiality of backup information prevents unauthorized exposure of sensitive data stored in backups. |
CWE-284 | Improper Access Control | 4,907 | Protecting CIA of backups requires access controls to prevent unauthorized access, modification, or deletion. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,837 | Protecting backup availability and integrity requires correct permission assignments on critical backup resources. |
CWE-552 | Files or Directories Accessible to External Parties | 551 | Protecting backup files ensures they are not accessible to external parties or unauthorized spheres. |
CWE-922 | Insecure Storage of Sensitive Information | 422 | Requiring protection of backup information directly addresses insecure storage of sensitive data in backups. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2023-54346 | 1.5 | 7.5 | 0.0005 | good |
CVE-2025-24221 | 1.5 | 7.5 | 0.0013 | partial |