Skip to main content
NetStable
📋 4 Practices NIST 3.14.1 - 3.14.4

Recovery Policy

Recovery Domain (RE)

Overview Why It Matters Requirements Roles Implementation CMMC Mapping Evidence Common Gaps Template Guide

📖 What This Policy Covers

Recovery ensures you can bounce back from disasters, ransomware, hardware failures, and data corruption. This policy covers backup frequency and types (full, incremental, differential by system type), backup storage tiers (on-site, off-site, cold storage), backup encryption and access controls, backup testing and validation (quarterly restore tests), Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), disaster recovery site capabilities (cloud-based hot/warm standby), and DR plan testing (annual tabletop + failover test).

Purpose

This policy ensures CUI data is backed up regularly with appropriate protection, backups are tested to verify they can be restored, CUI confidentiality and integrity are maintained during backup operations, and alternate processing capabilities exist for disaster recovery.

Scope

Applies to all systems, databases, file servers, endpoints, virtual machines, and cloud infrastructure that process, store, or transmit CUI. Covers backup operations, restore procedures, disaster recovery planning, and business continuity.

🎯 Why It Matters

Ransomware is the #1 threat to defense contractors. Without tested backups, a ransomware attack can result in permanent CUI data loss and contract termination. The average cost of ransomware recovery is $1.82M (Sophos 2023). Assessors specifically test whether you can actually restore from backups -- having backups that have never been tested is a common finding. Your RTO determines how long your business is down; your RPO determines how much data you lose.

🔐 Key Requirements

1. Backup and Restore

RE.L2-3.14.1 RE.L2-3.14.2

Regular backups of all CUI systems with defined frequency and retention.

  • Databases: daily full + hourly incremental
  • File servers: daily full + hourly incremental
  • Endpoints: weekly full + daily incremental (cloud backup: OneDrive, Google Drive)
  • VMs: daily snapshots
  • Cloud infrastructure: continuous replication (S3 versioning, Azure geo-redundant storage)
  • Primary storage: on-site (NAS, SAN)
  • Secondary: off-site cloud (AWS S3, Azure Blob, Backblaze)
  • Tertiary: cold storage (AWS Glacier, tape at Iron Mountain)
  • Retention: daily 30 days, monthly 12 months, annual 7 years
  • All backups encrypted at rest (AES-256) and in transit (TLS 1.2+)

2. Backup Testing

RE.L2-3.14.3

Regular testing to verify backups can be restored within RTO/RPO targets.

  • Quarterly restore tests for critical CUI systems, annually for all systems
  • Test scope: restore sample files/databases, verify integrity, test accessibility
  • Document: test date, systems tested, restore time, success/failure, issues
  • RTO targets: critical CUI systems 4 hours, important CUI 24 hours, other 72 hours
  • RPO targets: critical databases 1 hour max data loss, file servers 24 hours, endpoints 7 days

3. Backup Security

RE.L2-3.14.2

Protect CUI during backup operations.

  • Only authorized backup administrators can access backup systems
  • Encryption: AES-256 for all backups
  • Integrity verification via checksums and restore tests
  • Backup accounts separate from production (prevent ransomware from encrypting backups)
  • Immutable backups in cloud (cannot be deleted for X days) to protect against ransomware
  • All backup/restore activities logged
  • Off-site tapes at secure facility (Iron Mountain), geo-redundant cloud backups

4. Disaster Recovery

RE.L2-3.14.4

Alternate processing site and disaster recovery plan.

  • DR site type: cloud-based (AWS, Azure hot/warm standby) or colocation
  • Same security controls as primary site (firewalls, MFA, encryption)
  • Continuous or near-real-time data replication to DR site
  • Annual DR failover test
  • DR plan: system prioritization, step-by-step recovery runbooks, contact lists, communication plan
  • Annual tabletop exercise + actual failover test
  • Post-test: document lessons learned, update DR plan

👥 Roles & Responsibilities

CISO / IT Director

  • Approve backup and DR strategy
  • Review backup test results
  • Approve RTO/RPO targets
  • Own DR plan and ensure annual testing

IT Operations / Backup Administrators

  • Configure and maintain backup systems
  • Execute daily backup monitoring
  • Perform restore tests per schedule
  • Maintain DR site readiness

IT Security

  • Verify backup encryption and access controls
  • Monitor backup logs for anomalies
  • Ensure backup accounts are separate from production
  • Participate in DR tabletop exercises

System/Application Owners

  • Define RTO/RPO requirements for their systems
  • Participate in restore testing
  • Validate restored data integrity
  • Participate in DR exercises

🛠️ Implementation Roadmap (8 Weeks)

1

Backup Deployment

Weeks 1-2
  • Select backup solution (Veeam, Commvault, cloud-native)
  • Size storage requirements (calculate based on data volume + growth + retention)
  • Deploy backup agents to all CUI systems
  • Configure backup jobs per frequency requirements
2

Backup Testing

Weeks 3-4
  • Test initial backups: restore sample files and databases
  • Verify data integrity after restore
  • Document restore time and compare to RTO targets
  • Configure backup monitoring and alerting
3

Off-site & DR

Weeks 5-6
  • Establish off-site backup storage (cloud or physical)
  • Configure replication to secondary site
  • Set up immutable backup configuration (S3 Object Lock, Azure immutability)
4

DR Planning & Testing

Weeks 7-8
  • Document DR plan with runbooks, contact lists, system priorities
  • Conduct tabletop exercise with IT team and stakeholders
  • Document lessons learned and update plan

Recommended Tools

Veeam / Commvault / Acronis (backup)AWS S3 / Azure Blob / Backblaze (cloud backup)AWS Glacier / Iron Mountain (cold storage)AWS / Azure (DR site)Zerto / Azure Site Recovery (replication)

📊 CMMC Practice Mapping

Practice ID Requirement Policy Section
RE.L2-3.14.1 Establish recoverable system configurations 1
RE.L2-3.14.2 Perform and document backups 1, 3
RE.L2-3.14.3 Regularly test backup information 2
RE.L2-3.14.4 Provide alternate storage/processing sites 4

📋 Evidence Requirements

These are the artifacts a C3PAO assessor will ask for. Start collecting early.

Backup Configuration Screenshots

Format: PNG/PDF
Frequency: Quarterly
Contents: Backup software showing jobs, schedules, retention policies, encryption settings
Tip: Show that all CUI systems are covered. Include encryption settings and retention configuration.

Backup Success Reports

Format: PDF/CSV
Frequency: Monthly
Contents: Last 30 days of backup results showing success/failure rates by system
Tip: Target 99%+ success rate. Document and remediate any failures.

Restore Test Documentation

Format: PDF
Frequency: Quarterly
Contents: Last 4 quarters of restore tests: system tested, data restored, time to restore, integrity verified, pass/fail
Tip: This is a key assessor focus area. Show that you actually restore data and verify it works, not just check that backup files exist.

Disaster Recovery Plan

Format: PDF
Frequency: Annual review
Contents: Complete DR plan with system priorities, runbooks, contact lists, communication plan
Tip: Include specific step-by-step instructions someone could follow during an emergency. Test it annually.

DR Test Report

Format: PDF
Frequency: Annual
Contents: Annual failover test results: what was tested, timeline, issues encountered, lessons learned
Tip: Document both successes and failures. The lessons learned section shows maturity.

⚠️ Common Gaps (What Assessors Flag)

1. Backups exist but have never been tested

Why this happens: Backup software says 'success' but nobody has ever tried to restore from them.
How to close the gap: Schedule a quarterly restore test. Restore a sample database or file share. Verify data integrity. Document the results.

2. Backups not encrypted

Why this happens: Encryption was not enabled during initial backup setup. Backups contain cleartext CUI.
How to close the gap: Enable encryption on your backup solution immediately. Most modern backup tools support AES-256. Re-run a full backup with encryption enabled.

3. No immutable backups (ransomware risk)

Why this happens: Backup storage is accessible with the same credentials as production. Ransomware can encrypt backups.
How to close the gap: Enable immutable storage: S3 Object Lock, Azure Blob immutability, or Veeam hardened repository. Use separate credentials for backup admin accounts.

4. No DR plan or DR site

Why this happens: Viewed as too expensive. 'We'll figure it out if something happens.'
How to close the gap: Start with cloud-based DR (AWS/Azure). Cost can be low for warm standby. Write a basic DR plan with priorities and runbooks. Test annually with a tabletop exercise.

📝 Template Customization Guide

When filling in the downloadable template for this policy, replace these placeholders with your organization's specifics:

[COMPANY NAME]

Your organization's legal name

Example: Acme Defense Systems, LLC

[CISO Name]

Name of your CISO or COO

Example: Jane Smith

Customization Tips

  • 💡 Specify your actual RTO/RPO targets based on business requirements and contract SLAs
  • 💡 Document your specific backup software and cloud storage providers
  • 💡 Include your DR site location and capabilities
  • 💡 If you're fully cloud-native, describe how cloud-native backup and multi-region deployment meets DR requirements
  • 💡 Adjust backup frequency based on your data change rate and acceptable data loss

📚 Related Policies

Configuration Management Policy Incident Response Policy System and Communications Protection Policy
Previous
RA Policy
All Policies
Next
SC Policy