Browse Skills

Backup Immutability Auditor (CISA CPG 3.1)

    CISA CPG Critical Infrastructure Backup Ransomware Recovery
    Get Started with This Skill

    Overview

    Document and validate CISA CPG 3.1 Offline Backup & Verification Log: air-gapped or immutable backups so even a Global Admin cannot delete secondary copies, plus periodic Test Restore Log evidence (e.g. every 30 days).

    Example Conversation

    You: We need to document our backup setup for CISA CPG 3.1. We use immutable backups in the cloud with a 30-day retention lock; restore tests are monthly. Can you draft the section and run the audit?

    Agent: I’ll draft a short backup architecture section describing the immutable gap, who can delete (or not), and the 30-day restore test requirement, then run backup_immutability_audit on it.

    Agent: Created backup-architecture-cpg31.md. Running backup_immutability_audit

    Agent: Audit PASS — the doc describes the immutable gap, states that even a Global Admin cannot delete secondary copies (deletion restricted by retention lock), and defines testing frequency (monthly). One suggestion: if you have a recent Test Restore Log, add it to the project and I can run restoration_success_checker so we have both the policy and the evidence.

    You: Here’s our latest restore test log — please validate it.

    Agent: Running restoration_success_checker on test-restore-log-2025-02.md

    Agent: Check PASS — the log has a date within the last 30 days (2025-02-10) and evidence of successful recoverability (“restore completed successfully”, “data integrity verified”). I’ve added a one-line note to backup-architecture-cpg31.md referencing this log as the current evidence for CPG 3.1.

    What the Tools Validate

    The skill includes two extension tools:

    backup_immutability_audit audits a backup architecture or CPG 3.1 document (Markdown or text) for three criteria:

    • Gap description — The document must describe the physical or logical “gap” so backups cannot be deleted by ransomware: e.g. air-gapped, immutable, offline, WORM, or retention lock.
    • Privileged account cannot delete — The document must state explicitly that even a Global Admin (or equivalent privileged account) cannot delete secondary/backup copies.
    • Testing frequency — The document must define how often restore verification runs (e.g. every 30 days, monthly).

    Output: PASS if all three are present; otherwise FAIL with a short line per missing element. Run on the draft before finalizing; fix gaps and re-run until the audit passes.

    restoration_success_checker validates an uploaded Test Restore Log file:

    • Date within 30 days — The log must contain a date (ISO or common format) that falls within the last 30 days.
    • Recoverability evidence — The log must contain wording indicating a successful restore (e.g. “success”, “completed”, “verified”, “passed”, “restored”, “recoverability confirmed”).

    Output: PASS if both are present; otherwise FAIL with what’s missing. Run when proving periodic restore testing for CPG 3.1; refresh the log and re-run if the check fails.

    Output Excerpt

    Excerpt from a generated backup architecture section and sample audit/check reports.

    Backup architecture (excerpt):

    ## Backup architecture (CISA CPG 3.1)

- **Gap:** Secondary backups are stored in immutable object storage with a 30-day retention lock. No role (including Global Admin) can delete or overwrite copies within the retention window. Primary admins have no write or delete permission on the backup bucket.
- **Privileged accounts:** Even a Global Admin cannot delete the secondary copies; deletion and retention are enforced by the storage control plane and separate backup-admin role.
- **Verification:** A test restore is performed at least every 30 days. Results are recorded in the Test Restore Log (see [test-restore-log-2025-02.md](test-restore-log-2025-02.md)).

    backup_immutability_audit report (excerpt):

    === BACKUP IMMUTABILITY AUDIT (CPG 3.1) ===
Result: PASS

Document: backup-architecture-cpg31.md
Backup 'gap' (air-gapped, immutable, or offline) is described.
Document states that even a Global Admin (or privileged account) cannot delete secondary/backup copies.
Testing/verification frequency (e.g. every 30 days) is defined.
Document meets CPG 3.1 backup immutability and verification expectations.

    restoration_success_checker report (excerpt):

    === RESTORATION SUCCESS CHECK (CPG 3.1) ===
Result: PASS

File: test-restore-log-2025-02.md
Log contains a date within the last 30 days (recent test).
Log contains evidence of successful recoverability (e.g. completed, verified, passed).
Test Restore Log meets CPG 3.1 recoverability verification requirements.

    Getting Started

    Add your source materials to the project workspace (e.g. existing backup policy or architecture notes, and a Test Restore Log if you have one), then activate the Backup Immutability Auditor (CISA CPG 3.1) skill. The agent will guide you through documenting the gap and testing frequency, running backup_immutability_audit, and validating the Test Restore Log with restoration_success_checker.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started