>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

CP-6Alternate Storage Site

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and

b

Ensure that the alternate storage site provides controls equivalent to that of the primary site.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites.

Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems.

>Programmatic Queries

Beta

Related Services

S3 Cross-Region Replication
EBS Snapshots
RDS Cross-Region

CLI Commands

Check S3 replication config
aws s3api get-bucket-replication --bucket BUCKET_NAME
List cross-region snapshot copies
aws ec2 describe-snapshots --owner-ids self --query 'Snapshots[*].{Id:SnapshotId,Region:Region}'
Check RDS cross-region replicas
aws rds describe-db-instances --query 'DBInstances[?ReadReplicaSourceDBInstanceIdentifier!=null]'
List S3 buckets across regions
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do aws s3api list-buckets --query 'Buckets[].Name' --region $region; done
Open AWS ConsoleDocumentation

>Related Controls

CP-2
CP-7
CP-8
CP-9
CP-10
MP-4
MP-5
PE-3
SC-36
SI-13

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CP-6 (Alternate Storage Site)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CP-6?
  • How frequently is the CP-6 policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures CP-6 requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CP-6 requirements.
  • What automated tools, systems, or technologies are deployed to implement CP-6?
  • How is CP-6 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CP-6 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CP-6?
  • What audit logs, records, reports, or monitoring data validate CP-6 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CP-6 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CP-6 compliance?

Ask AI

Configure your API key to use AI features.