>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

CP-6 (01)Alternate Storage Site | Separation from Primary Site

Moderate
High

>Control Description

Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CP-6(1) (Separation From Primary Site)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CP-6(1)?
  • How frequently is the CP-6(1) policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures CP-6(1) requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CP-6(1) requirements.
  • What automated tools, systems, or technologies are deployed to implement CP-6(1)?
  • How is CP-6(1) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CP-6(1) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CP-6(1)?
  • What audit logs, records, reports, or monitoring data validate CP-6(1) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CP-6(1) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CP-6(1) compliance?

Ask AI

Configure your API key to use AI features.