Skip to main content

BCD-12: Technology Assets, Applications and/or Services (TAAS) Recovery & Reconstitution

BCD 9 — Critical Protect

Mechanisms exist to ensure the secure recovery and reconstitution of Technology Assets, Applications and/or Services (TAAS) to a known state after a disruption, compromise or failure.

Control Question: Does the organization ensure the secure recovery and reconstitution of Technology Assets, Applications and/or Services (TAAS) to a known state after a disruption, compromise or failure?

General (29)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) A1.2 CC7.5 CC7.5-POF1
CIS CSC 8.1 11.3
CIS CSC 8.1 IG1 11.3
CIS CSC 8.1 IG2 11.3
CIS CSC 8.1 IG3 11.3
CSA IoT SCF 2 OPA-06 OPA-07
GovRAMP Core CP-10
GovRAMP Low CP-10
GovRAMP Low+ CP-10
GovRAMP Moderate CP-10
GovRAMP High CP-10
IEC 62443-4-2 2019 CR 7.4 (11.6.1)
MITRE ATT&CK 10 T1485, T1486, T1490, T1491, T1491.001, T1491.002, T1561, T1561.001, T1561.002, T1565, T1565.001
NIST 800-53 R4 CP-10
NIST 800-53 R4 (low) CP-10
NIST 800-53 R4 (moderate) CP-10
NIST 800-53 R4 (high) CP-10
NIST 800-53 R5 (source) CP-10
NIST 800-53B R5 (low) (source) CP-10
NIST 800-53B R5 (moderate) (source) CP-10
NIST 800-53B R5 (high) (source) CP-10
NIST 800-82 R3 LOW OT Overlay CP-10
NIST 800-82 R3 MODERATE OT Overlay CP-10
NIST 800-82 R3 HIGH OT Overlay CP-10
NIST CSF 2.0 (source) RC RC.RP-01 RC.RP-05
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) BCD-12
SCF CORE ESP Level 1 Foundational BCD-12
SCF CORE ESP Level 2 Critical Infrastructure BCD-12
SCF CORE ESP Level 3 Advanced Threats BCD-12
US (20)
Framework Mapping Values
US CERT RMM 1.2 SC:SG3.SP1
US CMS MARS-E 2.0 CP-10
US FedRAMP R4 CP-10
US FedRAMP R4 (low) CP-10
US FedRAMP R4 (moderate) CP-10
US FedRAMP R4 (high) CP-10
US FedRAMP R4 (LI-SaaS) CP-10
US FedRAMP R5 (source) CP-10
US FedRAMP R5 (low) (source) CP-10
US FedRAMP R5 (moderate) (source) CP-10
US FedRAMP R5 (high) (source) CP-10
US FedRAMP R5 (LI-SaaS) (source) CP-10
US FFIEC D5.IR.Pl.B.5 D5.IR.Te.E.3
US HIPAA Administrative Simplification 2013 (source) 164.308(a)(7)(ii)(B)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.308(a)(7)(ii)(B)
US IRS 1075 CP-10
US NISPOM 2020 8-613
US - TX DIR Control Standards 2.0 CP-10
US - TX TX-RAMP Level 1 CP-10
US - TX TX-RAMP Level 2 CP-10
EMEA (8)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.7.3(83)
EMEA EU NIS2 21.2(c)
EMEA EU NIS2 Annex 4.2.2(e)
EMEA Israel CDMO 1.0 25.9 25.12 25.22
EMEA Saudi Arabia CSCC-1 2019 2-8-2
EMEA Saudi Arabia IoT CGIoT-1 2024 2-12-2
EMEA Saudi Arabia ECC-1 2018 2-4-3-3
EMEA UK DEFSTAN 05-138 4202
APAC (3)
Framework Mapping Values
APAC India SEBI CSCRF PR.IP.S7
APAC New Zealand HISF 2022 HHSP17 HML17 HSUP15 HSUP15
APAC New Zealand HISF Suppliers 2023 HSUP15 HSUP15

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to ensure the secure recovery and reconstitution of Technology Assets, Applications and/or Services (TAAS) to a known state after a disruption, compromise or failure.

Level 1 — Performed Informally

Business Continuity & Disaster Recovery (BCD) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • IT personnel work with business stakeholders to identify business-critical Technology Assets, Applications and/or Services (TAAS) and services, including internal teams and third-party service providers.
  • IT personnel develop limited Disaster Recovery Plans (DRP) to recover business-critical Technology Assets, Applications and/or Services (TAAS) and services.
  • Business stakeholders develop limited Business Continuity Plans (BCPs) to ensure business-critical functions are sustainable both during and after an incident within Recovery Time Objectives (RTOs).
  • Backups are performed ad-hoc and focus on business-critical Technology Assets, Applications and/or Services (TAAS).
  • Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).
Level 2 — Planned & Tracked

Business Continuity & Disaster Recovery (BCD) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Business Continuity / Disaster Recovery (BC/DR) management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for BC/DR management.
  • BC/DR roles are formally assigned as an additional duty to existing IT/cybersecurity personnel.
  • Recovery Time Objectives (RTOs) identify business-critical Technology Assets, Applications and/or Services (TAAS) and services, which are given priority of service in alternate processing and storage sites.
  • IT personnel develop Disaster Recovery Plans (DRP) to recover business-critical Technology Assets, Applications and/or Services (TAAS) and services.
  • Data/process owners conduct a Business Impact Analysis (BIA) at least annually, or after any major technology or process change, to identify assets critical to the business in need of protection, as well as single points of failure.
  • IT/cybersecurity personnel work with business stakeholders to develop Business Continuity Plans (BCPs) to ensure business functions are sustainable both during and after an incident within Recovery Time Objectives (RTOs).
  • IT personnel use a backup methodology (e.g., grandfather, father & s on rotation) to store backups in a secondary location, separate from the primary storage site.
  • IT personnel configure business-critical Technology Assets, Applications and/or Services (TAAS) to transfer backup data to the alternate storage site at a rate that is capable of meeting Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
Level 3 — Well Defined

Business Continuity & Disaster Recovery (BCD) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • A formal Business Continuity & Disaster Recovery (BC/DR) program exists with defined roles and responsibilities to restore functionality in the event of a catastrophe, emergency, or significant disruptive incident that is handled in accordance with a Continuity of Operations Plan (COOP).
  • BC/DR personnel work with business stakeholders to identify business-critical Technology Assets, Applications and/or Services (TAAS), services, internal teams and third-party service providers.
  • Specific criteria are defined to initiate BC/DR activities that facilitate business continuity operations capable of meeting applicable RTOs and/or RPOs.- Application/system/process owners conduct a Business Impact Analysis (BIA) at least annually, or after any major technology or process change, to identify assets critical to the business in need of protection, as well as single points of failure.
  • Recovery Time Objectives (RTOs) are defined for business-critical Technology Assets, Applications and/or Services (TAAS) and services.
  • Recovery Point Objectives (RPOs) are defined and technologies exist to conduct transaction-level recovery, in accordance with RPOs.
  • Controls are assigned to sensitive/regulated assets to comply with specific BC/DR requirements to facilitate recovery operations in accordance with RTOs and RPOs.
  • IT personnel work with business stakeholders to develop Disaster Recovery Plans (DRP) to recover business-critical Technology Assets, Applications and/or Services (TAAS) and services within RPOs.
  • Business stakeholders work with IT personnel to develop Business Continuity Plans (BCPs) to ensure business functions are sustainable both during and after an incident within RTOs.
  • The data backup function is formally assigned with defined roles and responsibilities.
  • BC/DR personnel have pre-established methods to communicate the status of recovery activities and progress in restoring operational capabilities to designated internal and external stakeholders.
  • The integrity of backups and other restoration assets are verified prior to using them for restoration.
Level 4 — Quantitatively Controlled

Business Continuity & Disaster Recovery (BCD) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to ensure the secure recovery and reconstitution of Technology Assets, Applications and/or Services (TAAS) to a known state after a disruption, compromise or failure.

Assessment Objectives

  1. BCD-12_A01 secure baseline configurations exist for systems, applications and/or services protect the confidentiality and integrity of data being stored, processed and/or transmitted.
  2. BCD-12_A02 systems, applications and/or services are securely recovered / reconstituted to a known, trusted state after a disruption, compromise or failure.

Evidence Requirements

E-BCM-15 Restoration Events

Documented evidence of system, application and/or data recovery events. This can include random testing of data backups to ensure recovery methods are viable.

Business Continuity

Technology Recommendations

Micro/Small

  • Virtual machines
  • Acronis (https://acronis.com)

Small

  • Virtual machines
  • Docker (https://docker.com)
  • Acronis (https://acronis.com)

Medium

  • Virtual machines
  • Docker (https://docker.com)
  • Acronis (https://acronis.com)
  • CimTrak Integrity Suite (https://cimcor.com/cimtrak)
  • Docker (https://docker.com)

Large

  • Virtual machines
  • Docker (https://docker.com)
  • Acronis (https://acronis.com)
  • CimTrak Integrity Suite (https://cimcor.com/cimtrak)
  • Docker (https://docker.com)

Enterprise

  • Virtual machines
  • Docker (https://docker.com)
  • Acronis (https://acronis.com)
  • CimTrak Integrity Suite (https://cimcor.com/cimtrak)
  • Docker (https://docker.com)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free