Back Up Government Data
Keep essential services running—even after a cyberattack—with secure, tested backups.
Safeguard Critical Data with Backups
From 911 systems to court records to utility operations, your government data powers services your community depends on. Many of these systems are critical infrastructure essential to the public’s safety, health and governance. If that data is lost or locked up by ransomware, the consequences can be severe. It’s a serious threat to state, local, tribal and territorial (SLTT) governments who are often working with limited resources and legacy systems.
That’s why regularly backing up your data—and testing your ability to restore it—is a critical part of your cybersecurity strategy.
What is a backup?
A backup is a secure copy of your organization’s critical data, stored separately from your primary systems. In the event of a cyber incident, accidental deletion, system failure or disaster, you can restore your data and resume operations quickly.
Why does this matter?
According to Verizon’s 2025 Data Breach Investigations Report, ransomware figured into 44% of the breaches they investigated. Backups are your best hope of recovery from a ransomware attack.
Backups help SLTTs:
- Recover quickly from ransomware or cyberattacks
- Avoid paying ransoms or losing critical data
- Ensure continuity of essential public services
- Reduce financial and operational impact
- Meet compliance and legal requirements
Recovery without backups can take weeks or even months, and it may be impossible.
How to Build a Reliable Backup Strategy
Work with your IT team to create a reliable strategy that protects your organization from data loss.
Decide what to back up.
Start by taking inventory of what important information resides on your network.This will give you an understanding of what you are protecting and who has access. A simple spreadsheet can help you track what you’re backing up.
Focus on sensitive and operations-critical data such as:
- Constituent records
- Employee and HR information
- Financial and payroll data
- Emails and critical communications
- Configuration files and software settings
- Website and operational databases
Pay attention to how your data flows at rest and in transit, user behavior and activities and what devices are involved. This gives you a solid baseline for testing, monitoring and security-based decisions.
Identify what data your organization can’t operate without—like public safety and emergency services data, public records and legal documents, education infrastructure, critical infrastructure system data—and prioritize those for protection.
Follow the 3-2-1 backup rule.
Once you know what needs to be protected, it’s time to set up your backups. The 3-2-1 rule is a trusted guideline. Protect your data with:
- 3 copies of important files
- 2 different types of storage media (like a hard drive and the cloud)
- 1 copy stored off-site, away from your location
Choose a backup solution that runs automatically and regularly. Regular backups protect against ransomware and malware attacks. Use a combination of on-site and remote backups to protect against threats, hardware failures and physical damage.
Secure, test and train.
Leverage protections for backups, including physical security, encryption and offline copies.
Test backup procedures to make sure your team can rapidly restore data both fully and partially, and to ensure you can roll back data at least seven days if needed. Know how to access critical files even without an internet connection. If using industrial control systems or operational technology (such as for a water treatment plant), conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.
Finally, ensure your team is trained. A backup plan is only helpful if everyone knows how to use it. Write down your procedures and make sure your team can recover systems, networks and data from your backups. Everyone plays a part in data protection!
Printable Tips
Get the “Level Up Your Defenses for SLTTs” best practices in one handy, printable summary.
No-Cost Guidance from CISA—Share with Your IT Team
Stop Ransomware
Regular backups are one of the best ways to protect your organization from ransomware losses. Review the Stop Ransomware Guide’s information on backing up data.
Infrastructure Resilience Planning Framework
Incorporate critical infrastructure resilience considerations into your organization’s planning.
State, Local, Tribal & Territorial Resources
No-cost information, resources, and tools from CISA to help you defend against cyber threats.