CP-9(5): Transfer to Alternate Storage Site

9 min readLast verified: February 2026By

CP-9(5) requires you to transfer system backup information to an alternate storage site at a defined cadence, so backups survive a primary-site outage, disaster, ransomware event, or insider sabotage. To operationalize it, set a transfer frequency, automate replication or offsite copy, encrypt and control access, and keep evidence that transfers complete and can be restored. 1

Key takeaways:

  • Define and document the transfer frequency to the alternate storage site, then enforce it technically. 1
  • “Successful backup” is not enough; you need proof the backup was transferred offsite and remains restorable. 2
  • Your audit pass hinges on repeatable job logs, restore test results, and clear ownership for offsite transfer operations. 2

The cp-9(5): transfer to alternate storage site requirement is a continuity and resilience control that closes a common operational gap: backups exist, but they sit too close to the systems they protect. CP-9(5) pushes you to treat “offsite” as an engineered outcome, not a policy statement. The requirement is simple in text, but easy to fail in practice when teams rely on manual exports, ad hoc cloud sync, or “we could copy them if needed” assumptions.

For a Compliance Officer, CCO, or GRC lead, the fastest path to implementation is to translate CP-9(5) into three decisions you can defend: (1) what counts as “system backup information” for your environment, (2) what qualifies as an “alternate storage site,” and (3) how often transfers must occur to meet your recovery objectives. Then you operationalize those decisions with automation, monitoring, and restore testing, and you retain evidence that shows the control works over time.

This page gives requirement-level guidance you can hand to IT operations, security engineering, and the owners of backup platforms, then collect artifacts that stand up in an assessment against NIST SP 800-53 Rev. 5. 2

Regulatory text

Control requirement (CP-9(5)): “Transfer system backup information to the alternate storage site {{ insert: param, cp-9.5_prm_1 }}.” 1

Operator interpretation (what you must do)

  • You must move backup data off the primary site to a separate storage location you designate as the alternate storage site. 1
  • You must set a transfer frequency (the parameter in the control) and follow it consistently. The control is not satisfied by “periodic” without a defined cadence and evidence of completion. 1
  • You must be able to restore from what you transferred. If the transfer corrupts data, excludes key systems, or is not accessible during an outage, the requirement fails in substance even if a job log exists. 2

Plain-English requirement (practitioner version)

Maintain backups, then copy or replicate them to a physically and logically separate storage location on a defined schedule, so a compromise or loss of the primary environment does not also destroy your backups. Keep proof that transfers occur and that transferred backups can be restored.

Who it applies to

CP-9(5) is used in NIST SP 800-53 Rev. 5 control baselines and is commonly inherited or tailored by:

  • Federal information systems (agency-operated environments) that must meet NIST SP 800-53 control requirements. 2
  • Contractor systems handling federal data where NIST SP 800-53 controls flow down through contracts, ATO requirements, or customer security addenda. 2

Operationally, it applies anywhere you have:

  • Production workloads whose outage or corruption would trigger incident response, downtime, data loss, or mission impact.
  • A backup platform (cloud-native snapshots, enterprise backup suite, database backups, file backups) that can transfer copies to separate storage.

What you actually need to do (step-by-step)

Use this as a build sheet you can assign to a control owner.

1) Name the control owner and define scope

  1. Assign a primary owner (often Infrastructure/Backup Ops) and a GRC validator (you).
  2. Define “system backup information” in scope:
    • VM images/snapshots
    • Database backups and transaction logs
    • File shares and unstructured data backups
    • Backup configuration metadata (job definitions, encryption keys where applicable, catalogs)
  3. Map in-scope systems to an application/service inventory so you can prove coverage during audits. 2

2) Define the “alternate storage site” in operational terms

Document what qualifies in your environment:

  • Separate cloud account/subscription, separate region, separate storage service, or separate datacenter.
  • Segregated credentials and administrative boundaries from primary production admins.
  • Network path and access method that works during primary-site disruption.

Write it down as a short standard: “Alternate storage site for backups is X; access is restricted to Y; transfers occur via Z.” 2

3) Set the transfer frequency parameter (the part assessors will look for)

CP-9(5) includes a parameter for transfer cadence. Decide and document it based on:

  • Recovery Point Objective (RPO) expectations for critical services
  • Data change rate
  • Backup window constraints
  • Business tolerance for loss of recent data

Record the decision in the backup standard and in the control implementation statement so it is assessable. 1

4) Implement technical transfer mechanics (automate by default)

Pick one pattern per platform and standardize it:

  • Replication: replicate backup repositories to an offsite target.
  • Copy jobs: backup to local repo, then copy to offsite object storage.
  • Immutable/offline options (where supported): offsite storage with write-once or object lock settings aligned to your threat model.

Minimum engineering expectations:

  • Encrypt data in transit and at rest.
  • Restrict who can delete or overwrite offsite backups.
  • Ensure backups transfer even if primary compute is down (for example, backup server can still reach offsite storage).

5) Add monitoring, failure handling, and escalation

Operationalize the control by treating missed transfers as incidents:

  • Alert on failed transfer jobs, delayed replication, or storage quota exhaustion.
  • Define an on-call or ticket workflow with time-to-remediate expectations.
  • Track exceptions (planned outages, system decommissioning, one-time migrations) with approvals and compensating controls.

This is where many programs fail: they implement the copy but do not detect silent failure. 2

6) Prove restorability from the alternate site

Run restore validations that specifically pull data from the alternate storage site:

  • Restore a sample system or dataset to an isolated environment.
  • Validate integrity checks, application startup, and data consistency.
  • Document results, issues, and remediation.

Assessors often accept job logs plus restore testing as stronger evidence than logs alone. 2

Required evidence and artifacts to retain

Keep artifacts that demonstrate: scope, configuration, execution, and validation.

Governance artifacts

  • Backup and recovery standard that states the transfer frequency and alternate storage site definition. 2
  • CP-9(5) control implementation statement (who does what, tools used, cadence, monitoring, exceptions). 2

Technical artifacts

  • Backup system configuration screenshots/exports showing offsite target, replication/copy policy, encryption settings, and access controls.
  • Job schedules showing the defined transfer cadence.
  • Transfer/replication logs for a representative period, with success/failure status and timestamps.
  • Storage inventory showing the alternate storage location and retention settings.

Validation artifacts

  • Restore test plans and results explicitly sourcing backups from the alternate storage site.
  • Tickets or incident records for failed transfers and the remediation performed.
  • Exception register for systems temporarily out of compliance, with approvals and end dates.

If you use Daydream for control management, map CP-9(5) to the control owner, procedure, and recurring evidence requests so evidence collection is routine instead of a quarterly scramble. 1

Common exam/audit questions and hangups

Expect these lines of questioning:

  • “Show me where the transfer frequency is defined, and show logs proving it happened.” 1
  • “What qualifies as your alternate storage site? How is it separated from the primary site and admin roles?” 2
  • “Can ransomware or a privileged admin delete both primary and offsite backups? Show controls that prevent that.” 2
  • “Demonstrate a restore from the alternate site, not from the primary backup repository.” 2
  • “Which systems are covered, and how do you ensure new systems get added?” 2

Frequent implementation mistakes (and how to avoid them)

Mistake Why it fails CP-9(5) Fix
Offsite is “same cloud account, same admins” Alternate site lacks meaningful separation Use separate account/subscription or segregated roles and deletion protections; document separation. 2
Cadence is implied but not stated Parameter is undefined; auditors can’t assess Write the frequency into the standard and the job schedule; retain evidence. 1
Transfers run, but no monitoring Silent failure breaks continuity Alert on failures, add ticketing, and track remediation. 2
Restore tests only from local backups Doesn’t validate the alternate site path Perform restores from the alternate site and keep results. 2
Coverage gaps for SaaS or managed databases “System backup information” misunderstood Define what backups exist, who owns them (you vs third party), and how offsite transfer is achieved or contractually ensured. 2

Enforcement context and risk implications

No public enforcement cases were provided for this control in the source material, so treat CP-9(5) as an assessment-driven requirement rather than an enforcement-citation topic for this page. The practical risk is straightforward: if a primary environment fails or is compromised and the backups are co-located or co-administered, you can lose both production data and recovery capability, extending outage duration and increasing incident response scope. 2

Practical 30/60/90-day execution plan

First 30 days (stabilize scope and decisions)

  • Assign control owner and approvers; document RACI.
  • Define “alternate storage site” for each hosting model (on-prem, cloud, hybrid).
  • Set and approve the transfer frequency parameter and document it. 1
  • Inventory in-scope systems and identify backup sources of truth (backup platform, database tooling, snapshots).

Days 31–60 (implement and instrument)

  • Configure replication/copy jobs to the alternate storage site across priority systems.
  • Implement encryption, access restrictions, and deletion protections for offsite backups.
  • Turn on alerting and ticket workflows for failed transfers.
  • Start retaining standardized evidence (config exports, logs, job schedules).

Days 61–90 (prove restorability and harden operations)

  • Run restore tests that pull from the alternate storage site; document outcomes and remediation.
  • Close coverage gaps (new systems intake, SaaS backup strategy, exceptions process).
  • Create an assessor-ready evidence pack and set recurring evidence tasks in Daydream so the control stays “always on,” not “audit time.” 2

Frequently Asked Questions

What counts as an “alternate storage site” for CP-9(5)?

A location separate enough that the same outage or compromise won’t take out both production and backups. Document what separation means for you (account/region/datacenter, roles, deletion protections) and make sure the transfer path is automated. 2

Does CP-9(5) require a specific transfer frequency?

The control text includes a parameter for frequency; you must define it and then prove you meet it consistently. Put the frequency in your backup standard and show job schedules and logs that match. 1

If we use a third-party backup provider, do we still need to do anything?

Yes. You still need documented responsibility, proof of transfer to the provider’s alternate site, and restore evidence. If the third party performs the transfer, get contractual language and recurring reports/logs that demonstrate completion. 2

Are snapshots the same as backups for CP-9(5)?

Snapshots can be part of your backup strategy, but CP-9(5) focuses on transferring backup information to an alternate site. If snapshots stay in the same environment with the same admin plane, they may not satisfy the “alternate storage site” expectation. 2

What evidence is most persuasive to auditors?

A defined frequency, automated job configuration, a run of transfer logs showing success/failure handling, and restore test results from the alternate site. A policy without execution records rarely passes. 2

How do we handle systems that can’t support offsite transfer yet?

Put them in a time-bound exception with compensating controls (enhanced monitoring, alternative backup method, or migration plan). Track ownership and closure, and keep the exception register as part of your evidence pack. 2

Footnotes

  1. NIST SP 800-53 Rev. 5 OSCAL JSON

  2. NIST SP 800-53 Rev. 5

Frequently Asked Questions

What counts as an “alternate storage site” for CP-9(5)?

A location separate enough that the same outage or compromise won’t take out both production and backups. Document what separation means for you (account/region/datacenter, roles, deletion protections) and make sure the transfer path is automated. (Source: NIST SP 800-53 Rev. 5)

Does CP-9(5) require a specific transfer frequency?

The control text includes a parameter for frequency; you must define it and then prove you meet it consistently. Put the frequency in your backup standard and show job schedules and logs that match. (Source: NIST SP 800-53 Rev. 5 OSCAL JSON)

If we use a third-party backup provider, do we still need to do anything?

Yes. You still need documented responsibility, proof of transfer to the provider’s alternate site, and restore evidence. If the third party performs the transfer, get contractual language and recurring reports/logs that demonstrate completion. (Source: NIST SP 800-53 Rev. 5)

Are snapshots the same as backups for CP-9(5)?

Snapshots can be part of your backup strategy, but CP-9(5) focuses on transferring backup information to an alternate site. If snapshots stay in the same environment with the same admin plane, they may not satisfy the “alternate storage site” expectation. (Source: NIST SP 800-53 Rev. 5)

What evidence is most persuasive to auditors?

A defined frequency, automated job configuration, a run of transfer logs showing success/failure handling, and restore test results from the alternate site. A policy without execution records rarely passes. (Source: NIST SP 800-53 Rev. 5)

How do we handle systems that can’t support offsite transfer yet?

Put them in a time-bound exception with compensating controls (enhanced monitoring, alternative backup method, or migration plan). Track ownership and closure, and keep the exception register as part of your evidence pack. (Source: NIST SP 800-53 Rev. 5)

Related Resources

Operationalize this requirement

Map requirement text to controls, owners, evidence, and review workflows inside Daydream.

See Daydream