Backup and recovery is one of the most frequently failed control families in federal cloud ATO assessments — not because agencies don't have backup systems, but because they can't demonstrate that backups work, that they're tested, and that the testing is documented in a way that satisfies CP-9 and CP-10 controls.
AWS Backup provides a centralized, policy-driven backup service that can address the entire CP-9/CP-10 control family for AWS-native resources — but only if it's configured correctly and the testing documentation is maintained as an ATO artifact. This article covers the architecture and compliance documentation approach.
NIST 800-53 CP Controls and AWS Backup Mapping
The Contingency Planning (CP) family in NIST 800-53 has two controls that AWS Backup directly addresses:
CP-9: System Backup
Requires: backup of user-level information, system-level information, and system documentation at defined frequencies; protection of backup information at storage locations.
CP-10: System Recovery and Reconstitution
Requires: recovery and reconstitution of the system to a known state after a disruption, compromise, or failure.
Supporting controls:
- CP-6 (Alternate Storage Site): Cross-region replication satisfies the alternate storage site requirement
- CP-9(1) — Testing for Reliability: Periodic backup restoration testing with documented results
- CP-9(3) — Separate Storage Location: Cross-region or cross-account backup copies
AWS Backup Architecture for FedRAMP Moderate/High Systems
Centralized Backup Policy via AWS Organizations
For multi-account GovCloud environments, AWS Backup enables centralized policy management through AWS Organizations Backup Policies. This allows a single IaC-managed policy to govern backup behavior across all accounts in an OU.
resource "aws_organizations_policy" "backup_policy" {
name = "nist-cp9-backup-policy"
type = "BACKUP_POLICY"
content = jsonencode({
plans = {
"nist-moderate-backup" = {
regions = {
"@@assign" = ["us-gov-west-1", "us-gov-east-1"]
}
rules = {
"daily-backup" = {
schedule_expression = {
"@@assign" = "cron(0 4 * * ? *)"
}
target_backup_vault_name = {
"@@assign" = "nist-compliant-vault"
}
lifecycle = {
delete_after_days = {
"@@assign" = 90
}
}
}
"weekly-backup" = {
schedule_expression = {
"@@assign" = "cron(0 4 ? * SUN *)"
}
target_backup_vault_name = {
"@@assign" = "nist-compliant-vault"
}
lifecycle = {
move_to_cold_storage_after_days = {
"@@assign" = 30
}
delete_after_days = {
"@@assign" = 365
}
}
}
}
selections = {
"all-tagged-resources" = {
iam_role_arn = {
"@@assign" = "arn:aws-us-gov:iam::$account:role/AWSBackupServiceRole"
}
tag_map = {
"Backup" = {
tag_value = {
"@@assign" = "true"
}
}
}
}
}
}
}
})
}Resource coverage: AWS Backup supports EC2 (AMIs), EBS volumes, RDS (Aurora and standard), DynamoDB, S3, EFS, FSx, and more. Tag-based selection (Backup: true) automatically captures newly provisioned resources without manual policy updates.
Backup Vault Lock (Write-Once Protection)
For NIST CP-9 compliance, backups must be protected against modification and premature deletion. AWS Backup Vault Lock (WORM — Write Once Read Many) satisfies this requirement.
resource "aws_backup_vault_lock_configuration" "nist_vault_lock" {
backup_vault_name = aws_backup_vault.nist_vault.name
min_retention_days = 7
max_retention_days = 365
changeable_for_days = 3 # Grace period before lock becomes permanent
}Once Vault Lock is applied (and the grace period expires), even root account credentials cannot delete vault contents before the retention period. This is the ATO evidence that backups are tamper-protected — a specific requirement in many FedRAMP High control baselines.
Cross-Region Replication (CP-6 Alternate Storage)
GovCloud has two regions: us-gov-west-1 (Oregon) and us-gov-east-1 (Virginia). Cross-region backup replication satisfies CP-6 (Alternate Storage Site):
resource "aws_backup_plan" "nist_cp6_compliant" {
name = "nist-cp6-backup-plan"
rule {
rule_name = "daily-with-cross-region"
target_vault_name = aws_backup_vault.primary.name
schedule = "cron(0 4 * * ? *)"
copy_action {
destination_vault_arn = "arn:aws-us-gov:backup:us-gov-east-1:${var.account_id}:backup-vault:secondary-vault"
lifecycle {
delete_after = 90
}
}
}
}The cross-region copy happens asynchronously after the local backup completes. For RTO/RPO requirements at Moderate impact level, cross-region RPO is typically 24 hours (daily copy) — verify this meets your system's specific RPO requirement documented in the Contingency Plan.
Cross-Account Backup (Immutable Second Copy)
For High-impact systems, cross-account backup copies provide additional protection — if the primary account is compromised, backups in a separate AWS account (backup vault account) remain protected.
AWS Backup supports cross-account copies within the same AWS Organizations management. Configure a dedicated backup account separate from workload accounts, with Vault Lock enabled, for the most secure backup posture.
CP-9(1): Backup Testing Documentation for ATO
This is where most federal cloud programs fail the CP family — they have backups, but they can't demonstrate the backups work.
CP-9(1) requires: Testing backup information to verify media reliability and information integrity.
AWS Backup provides automated restore testing (generally available as of 2024) — it periodically initiates a restore of a backup job to a validation environment and reports success/failure.
For ATO evidence, configure automated restore testing and export the results to a documented artifact:
import boto3
import json
from datetime import datetime
def generate_backup_test_report(account_id: str, vault_name: str) -> dict:
backup_client = boto3.client('backup', region_name='us-gov-west-1')
# Get restore testing plans
plans = backup_client.list_restore_testing_plans()
report = {
"report_date": datetime.utcnow().isoformat(),
"account_id": account_id,
"vault": vault_name,
"control_reference": "NIST 800-53 CP-9(1)",
"test_results": []
}
for plan in plans['RestoreTestingPlans']:
selections = backup_client.list_restore_testing_selections(
RestoreTestingPlanName=plan['RestoreTestingPlanName']
)
report["test_results"].append({
"plan_name": plan['RestoreTestingPlanName'],
"schedule": plan['ScheduleExpression'],
"last_execution": plan.get('LastExecutionStatus', 'No executions yet'),
"selections": [s['RestoreTestingSelectionName'] for s in selections['RestoreTestingSelections']]
})
return reportExport this report monthly to S3 with lifecycle policy for retention. The report is ATO evidence for CP-9(1) and feeds the ConMon monthly report.
Backup Recovery Runbook (CP-10)
Documentation is as important as the technical implementation. NIST CP-10 requires recovery procedures — your SSP and Contingency Plan must include:
- Recovery time objective (RTO) — how long to restore
- Recovery point objective (RPO) — how much data can be lost
- Step-by-step restoration procedures for each resource type
- Responsible roles for each step
- Communication procedures during outage
The AWS Backup restore console provides a guided restore process, but automated restore via API (triggered by Systems Manager Automation runbooks) is more reliable and produces documented execution logs:
# SSM Automation Document for EBS restore
description: "CP-10 — Restore EBS volume from AWS Backup"
schemaVersion: "0.3"
parameters:
RecoveryPointArn:
type: String
description: "ARN of the AWS Backup recovery point to restore"
AvailabilityZone:
type: String
description: "AZ for restored volume"
mainSteps:
- name: RestoreEBSVolume
action: aws:executeAwsApi
inputs:
Service: backup
Api: StartRestoreJob
RecoveryPointArn: "{{ RecoveryPointArn }}"
IamRoleArn: "arn:aws-us-gov:iam::{{global:ACCOUNT_ID}}:role/AWSBackupServiceRole"
Metadata:
TargetAvailabilityZone: "{{ AvailabilityZone }}"Cloud Compliance Architecture for Federal Programs →
SRE Error Budgets and Continuous Monitoring →
Frequently Asked Questions
What resources does AWS Backup support in GovCloud?
AWS Backup in GovCloud supports EC2 (AMIs and EBS), EBS volumes, RDS (including Aurora), DynamoDB, S3 (GovCloud S3 Backup support added in 2023), EFS, and Aurora clusters. Not all service parity features available in commercial regions are available in GovCloud — verify the current GovCloud service feature matrix for specific capabilities before designing backup architecture.
How does AWS Backup Vault Lock satisfy FedRAMP requirements?
Vault Lock provides tamper protection for backup data — once set and past the grace period, no identity (including root) can delete backups before their retention date. This satisfies the FedRAMP Moderate CP-9 requirement for backup protection. For evidence, the Vault Lock configuration in Terraform/CloudFormation and the Vault Lock status via AWS Config rule backup-plan-min-frequency-and-min-retention-check provide ATO artifacts.
What is a reasonable RPO for a FedRAMP Moderate cloud system?
NIST 800-53 Moderate doesn't specify exact RPO values — your system's Contingency Plan defines the RPO based on mission requirements. Most Moderate-impact federal cloud systems target a 24-hour RPO (daily backups) for non-real-time business systems, and 4–8 hour RPO for operational systems. Real-time transaction systems may require database-level point-in-time recovery (PITR), which AWS RDS and Aurora support independently of AWS Backup.
Can AWS Backup be used for CMMC Level 2 backup requirements?
Yes. CMMC Level 2 requirement 3.8.9 (Protect Backups) maps to NIST 800-171 3.8.9 and SP 800-53 CP-9. AWS Backup with Vault Lock satisfies the protection requirement. The backup testing and documentation requirement (3.8.9 equivalent) requires the same restore testing documentation approach described in this article. CMMC assessors will look for evidence that backups are tested and that recovery procedures are documented.
How do we handle backup monitoring and alerting for ConMon?
Configure CloudWatch alarms on AWS Backup metrics: NumberOfBackupJobsFailed, NumberOfRecoveryPointsExpired. Route alarms through SNS to your incident response workflow and SIEM. Failed backup jobs must appear in your monthly ConMon report as a finding. AWS Backup also integrates with AWS Security Hub — enabling the aws-foundational-security-best-practices standard activates backup-related checks that appear in the Security Hub findings dashboard.