RE.3.139 Regularly perform complete, comprehensive, and resilient data backups as organizationally defined.

CMMC Practice RE.3.139: Regularly perform complete, comprehensive, and resilient data backups as organizationally defined.

Links to Publicly Available Resources

CMMC CLARIFICATION (Ref CMMC – Appendix B)

Ensure systems and data are backed up at an interval that enables an organization to restore the system or data in accordance with business requirements. A complete backup ensures that all of the files necessary to reconstruct a system are backed up. Comprehensive backups cover all of the systems defined by the organization as necessary for business effectiveness and/or continuity. You should complete the backups based on a regular schedule that satisfies the needs of your organization. Ensure that your backups are resilient to physical disaster and malicious attack (e.g., ransomware). One approach is to store at least one system backup off-site and offline.