NIST 800-53 r5 · Controls catalogue · Family CP
CP-6Alternate Storage Site
Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and Ensure that the alternate storage site provides controls equivalent to that of the primary site.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (8)
- T1070 Indicator Removal Stealth
- T1070.008 Clear Mailbox Data Stealth
- T1119 Automated Collection Collection
- T1486 Data Encrypted for Impact Impact
- T1565 Data Manipulation Impact
- T1565.001 Stored Data Manipulation Impact
- T1685.005 Clear Windows Event Logs Defense Impairment
- T1685.006 Clear Linux or Mac System Logs Defense Impairment
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Requiring equivalent controls at the alternate storage site prevents unauthorized exposure of sensitive backup data. |
CWE-284 | Improper Access Control | 4,832 | Mandating equivalent access controls ensures the alternate site does not introduce improper access control weaknesses for backups. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Requiring equivalent controls prevents incorrect permission assignments on critical backup resources at the alternate site. |
CWE-285 | Improper Authorization | 1,230 | Ensuring equivalent authorization at the alternate site reduces the ability to exploit improper authorization for retrieving backup information. |
CWE-922 | Insecure Storage of Sensitive Information | 421 | Establishing an alternate site with equivalent protections directly mitigates insecure storage of sensitive backup information. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||