Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family CP

CP-9System Backup

Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }}; Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }}; Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and Protect the confidentiality, integrity, and availability of backup information.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 2 mapping(s) from 1 framework(s): CSF 2.0 2 (mostly)

See the full cumulative-coverage rollup →

Implementations targeting this control (12)

ATT&CK techniques this control mitigates (22)

Weaknesses this control addresses (5)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-200Exposure of Sensitive Information to an Unauthorized Actor10,501Protecting confidentiality of backup information prevents unauthorized exposure of sensitive data stored in backups.
CWE-284Improper Access Control5,367Protecting CIA of backups requires access controls to prevent unauthorized access, modification, or deletion.
CWE-732Incorrect Permission Assignment for Critical Resource1,874Protecting backup availability and integrity requires correct permission assignments on critical backup resources.
CWE-552Files or Directories Accessible to External Parties563Protecting backup files ensures they are not accessible to external parties or unauthorized spheres.
CWE-922Insecure Storage of Sensitive Information426Requiring protection of backup information directly addresses insecure storage of sensitive data in backups.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2023-54346 UPD5.57.50.0031good
CVE-2025-242215.57.50.0080partial
CVE-2025-597855.57.20.0019partial

Other controls in family CP

CP-1 CP-10 CP-11 CP-12 CP-13 CP-2 CP-3 CP-4 CP-5 CP-6 CP-7 CP-8