NIST 800-53 r5 · Controls catalogue · Family CP
CP-9System Backup
Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }}; Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }}; Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and Protect the confidentiality, integrity, and availability of backup information.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (22)
- T1003 OS Credential Dumping Credential Access
- T1003.003 NTDS Credential Access
- T1005 Data from Local System Collection
- T1025 Data from Removable Media Collection
- T1070 Indicator Removal Stealth
- T1070.008 Clear Mailbox Data Stealth
- T1119 Automated Collection Collection
- T1485 Data Destruction Impact
- T1485.001 Lifecycle-Triggered Deletion Impact
- T1486 Data Encrypted for Impact Impact
- T1490 Inhibit System Recovery Impact
- T1491 Defacement Impact
- T1491.001 Internal Defacement Impact
- T1491.002 External Defacement Impact
- T1561 Disk Wipe Impact
- T1561.001 Disk Content Wipe Impact
- T1561.002 Disk Structure Wipe Impact
- T1565 Data Manipulation Impact
- T1565.001 Stored Data Manipulation Impact
- T1565.003 Runtime Data Manipulation Impact
- T1685.005 Clear Windows Event Logs Defense Impairment
- T1685.006 Clear Linux or Mac System Logs Defense Impairment
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Protecting confidentiality of backup information prevents unauthorized exposure of sensitive data stored in backups. |
CWE-284 | Improper Access Control | 4,832 | Protecting CIA of backups requires access controls to prevent unauthorized access, modification, or deletion. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Protecting backup availability and integrity requires correct permission assignments on critical backup resources. |
CWE-552 | Files or Directories Accessible to External Parties | 540 | Protecting backup files ensures they are not accessible to external parties or unauthorized spheres. |
CWE-922 | Insecure Storage of Sensitive Information | 421 | Requiring protection of backup information directly addresses insecure storage of sensitive data in backups. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-24221 | 1.5 | 7.5 | 0.0042 | partial |