# Backup Immutability Auditor (CISA CPG 3.1) > Document and validate CISA CPG 3.1 Offline Backup & Verification Log: air-gapped or immutable backups so even a Global Admin cannot delete secondary copies, plus periodic Test Restore Log evidence (e.g. every 30 days). Tags: CISA, CPG, Critical Infrastructure, Backup, Ransomware, Recovery ## Example Prompts - Document our backup architecture so it meets CISA CPG 3.1 — air-gap and who can delete backups - Audit our backup policy: ensure even Global Admin cannot delete secondary copies - Validate our Test Restore Log — check we have a restore test within the last 30 days - Draft the CPG 3.1 section for our water utility: offline backup and verification frequency URL: https://rakenne.app/skills/backup-immutability-auditor/index.md Try this skill: https://rakenne.app/a/?skill=backup-immutability-auditor ## Overview Document and validate CISA CPG 3.1 Offline Backup & Verification Log: air-gapped or immutable backups so even a Global Admin cannot delete secondary copies, plus periodic Test Restore Log evidence (e.g. every 30 days). ## Example Conversation > **You:** We need to document our backup setup for CISA CPG 3.1. We use immutable backups in the cloud with a 30-day retention lock; restore tests are monthly. Can you draft the section and run the audit? > **Agent:** I'll draft a short backup architecture section describing the immutable gap, who can delete (or not), and the 30-day restore test requirement, then run `backup_immutability_audit` on it. > **Agent:** Created `backup-architecture-cpg31.md`. Running `backup_immutability_audit`... > **Agent:** Audit **PASS** — the doc describes the immutable gap, states that even a Global Admin cannot delete secondary copies (deletion restricted by retention lock), and defines testing frequency (monthly). One suggestion: if you have a recent Test Restore Log, add it to the project and I can run `restoration_success_checker` so we have both the policy and the evidence. > **You:** Here's our latest restore test log — please validate it. > **Agent:** Running `restoration_success_checker` on `test-restore-log-2025-02.md`... > **Agent:** Check **PASS** — the log has a date within the last 30 days (2025-02-10) and evidence of successful recoverability ("restore completed successfully", "data integrity verified"). I've added a one-line note to `backup-architecture-cpg31.md` referencing this log as the current evidence for CPG 3.1. ## What the Tools Validate The skill includes two extension tools: **`backup_immutability_audit`** audits a backup architecture or CPG 3.1 document (Markdown or text) for three criteria: - **Gap description** — The document must describe the physical or logical "gap" so backups cannot be deleted by ransomware: e.g. air-gapped, immutable, offline, WORM, or retention lock. - **Privileged account cannot delete** — The document must state explicitly that even a Global Admin (or equivalent privileged account) cannot delete secondary/backup copies. - **Testing frequency** — The document must define how often restore verification runs (e.g. every 30 days, monthly). **Output:** PASS if all three are present; otherwise FAIL with a short line per missing element. Run on the draft before finalizing; fix gaps and re-run until the audit passes. **`restoration_success_checker`** validates an uploaded Test Restore Log file: - **Date within 30 days** — The log must contain a date (ISO or common format) that falls within the last 30 days. - **Recoverability evidence** — The log must contain wording indicating a successful restore (e.g. "success", "completed", "verified", "passed", "restored", "recoverability confirmed"). **Output:** PASS if both are present; otherwise FAIL with what's missing. Run when proving periodic restore testing for CPG 3.1; refresh the log and re-run if the check fails. ## Output Excerpt Excerpt from a generated backup architecture section and sample audit/check reports. **Backup architecture (excerpt):** ```markdown ## Backup architecture (CISA CPG 3.1) - **Gap:** Secondary backups are stored in immutable object storage with a 30-day retention lock. No role (including Global Admin) can delete or overwrite copies within the retention window. Primary admins have no write or delete permission on the backup bucket. - **Privileged accounts:** Even a Global Admin cannot delete the secondary copies; deletion and retention are enforced by the storage control plane and separate backup-admin role. - **Verification:** A test restore is performed at least every 30 days. Results are recorded in the Test Restore Log (see [test-restore-log-2025-02.md](test-restore-log-2025-02.md)). ``` **backup_immutability_audit report (excerpt):** ``` === BACKUP IMMUTABILITY AUDIT (CPG 3.1) === Result: PASS Document: backup-architecture-cpg31.md Backup 'gap' (air-gapped, immutable, or offline) is described. Document states that even a Global Admin (or privileged account) cannot delete secondary/backup copies. Testing/verification frequency (e.g. every 30 days) is defined. Document meets CPG 3.1 backup immutability and verification expectations. ``` **restoration_success_checker report (excerpt):** ``` === RESTORATION SUCCESS CHECK (CPG 3.1) === Result: PASS File: test-restore-log-2025-02.md Log contains a date within the last 30 days (recent test). Log contains evidence of successful recoverability (e.g. completed, verified, passed). Test Restore Log meets CPG 3.1 recoverability verification requirements. ``` ## Getting Started Add your source materials to the project workspace (e.g. existing backup policy or architecture notes, and a Test Restore Log if you have one), then activate the *Backup Immutability Auditor (CISA CPG 3.1)* skill. The agent will guide you through documenting the gap and testing frequency, running `backup_immutability_audit`, and validating the Test Restore Log with `restoration_success_checker`. --- Back to [Skill Library](https://rakenne.app/skills/index.md)