Backup and disaster recovery is not a secondary concern in the SACS-002 framework -- it is a foundational requirement. Aramco's CCC auditors evaluate whether your organization can survive a data loss event, a ransomware attack, or a complete infrastructure failure and resume operations within defined time windows. Vendors who treat backup as an afterthought -- running ad hoc copies to a local USB drive or relying on their hosting provider's unverified snapshots -- consistently fail this portion of the audit. This article breaks down every backup and DR requirement in SACS-002, explains what auditors expect to see, and provides the technical targets and documentation standards you need to pass.
SACS-002 Backup and Disaster Recovery Requirements Overview
The SACS-002 standard addresses backup and disaster recovery across multiple TPC controls. Unlike some frameworks that treat backup as a single checkbox, Aramco's requirements span the full lifecycle: backup creation, encryption, storage, verification, restoration testing, and documented disaster recovery planning. The controls work together to ensure that your organization can recover critical data and resume business operations after any disruptive event.
Key principle: SACS-002 does not just require that backups exist. It requires that backups are encrypted, stored off-site, tested regularly, and that your organization can demonstrate -- with documented evidence -- that restoration actually works within defined time windows.
The backup and DR requirements touch the following areas:
- Documented backup procedures -- formal policies defining what gets backed up, how often, and where backups are stored
- Backup frequency and scheduling -- minimum daily backups for critical data with defined incremental and full backup cycles
- Backup encryption -- data must be encrypted both at rest (in storage) and in transit (during transfer)
- Off-site storage -- backups must be stored at a geographically separate location from the primary data
- Backup verification -- regular integrity checks to confirm backup data is not corrupted
- Disaster recovery planning -- a formal DR plan with defined RPO and RTO targets
- DR testing -- annual minimum testing with documented results
- Data restoration procedures -- documented and tested processes for recovering data from backups
Documented Backup Procedures: What Auditors Expect to See
The first thing an auditor will request is your backup policy document. This is not a generic template downloaded from the internet -- it must be a specific, detailed document that describes your organization's actual backup practices. The document must be approved by management, reviewed at least annually, and distributed to relevant personnel.
Required Elements of a Backup Policy
Your backup policy document must include the following elements at minimum:
- Scope: Which systems, applications, databases, and data sets are included in the backup schedule. Every system that processes, stores, or transmits data related to Aramco operations must be covered.
- Data classification: Identification of critical vs. non-critical data, with backup frequency and retention requirements defined for each classification level.
- Backup schedule: Specific times and frequencies for each backup type (incremental, differential, full). The schedule must specify daily, weekly, and monthly backup windows.
- Retention periods: How long backups are kept before deletion. SACS-002 expects retention periods aligned with business requirements and regulatory obligations -- typically a minimum of 90 days for operational backups and 1 year for compliance-related data.
- Storage locations: Where backups are stored, including primary and off-site locations, with addresses or datacenter identifiers.
- Encryption standards: The encryption algorithms and key lengths used for backup data at rest and in transit.
- Roles and responsibilities: Named individuals or roles responsible for backup operations, monitoring, and restoration.
- Verification procedures: How and when backup integrity is checked.
- Restoration procedures: Step-by-step instructions for recovering data, including priority order for critical systems.
- Review and update schedule: When the policy is reviewed (minimum annually) and the approval chain for changes.
Auditor tip: The policy must match your actual practices. If your policy says "daily backups at 02:00" but your backup logs show backups running at inconsistent times or missing days, the auditor will flag this as a non-conformity. Policy-to-practice alignment is critical.
RPO and RTO: Definitions and Recommended Targets
Two metrics define your backup and DR posture: Recovery Point Objective (RPO) and Recovery Time Objective (RTO). SACS-002 requires that these values are formally defined, documented, and validated through testing.
Recovery Point Objective (RPO)
RPO defines the maximum acceptable amount of data loss measured in time. An RPO of 24 hours means your organization can tolerate losing up to 24 hours of data. If your last backup was at 02:00 and a failure occurs at 01:00 the next day, you lose 23 hours of data -- within your 24-hour RPO. If the failure occurs at 03:00, you lose 25 hours -- exceeding your RPO.
RPO directly determines your backup frequency. If your RPO is 24 hours, daily backups are sufficient. If your RPO is 4 hours, you need backups every 4 hours or continuous data protection.
Recovery Time Objective (RTO)
RTO defines the maximum acceptable downtime after a disruptive event. An RTO of 4 hours means your systems must be fully operational within 4 hours of a disaster. This includes the time to detect the failure, initiate recovery procedures, restore data from backups, verify system functionality, and resume normal operations.
RTO determines the sophistication of your DR infrastructure. A 4-hour RTO for a complex system typically requires pre-provisioned recovery environments, automated restoration scripts, and rehearsed runbooks. A 24-hour RTO may allow for manual recovery procedures.
Recommended Targets for CCC Compliance
| Data/System Classification | Recommended RPO | Recommended RTO | Backup Frequency |
|---|---|---|---|
| Critical business systems (ERP, financial, CRM with Aramco data) | 4 hours | 4 hours | Every 4 hours (incremental) + daily full |
| Important business systems (email, file servers, project management) | 24 hours | 8 hours | Daily incremental + weekly full |
| Standard business systems (internal tools, development environments) | 24 hours | 24 hours | Daily incremental + weekly full |
| Archival data (historical records, completed project files) | 7 days | 72 hours | Weekly full |
Important: These are recommended targets. SACS-002 does not prescribe exact RPO/RTO values -- it requires that you define them based on a business impact analysis, document them in your DR plan, and prove through testing that you can meet them. The values you choose must be justifiable and achievable.
Backup Frequency: Daily Minimum for Critical Data
SACS-002 establishes a clear floor for backup frequency: critical data must be backed up at least daily. For most vendors working with Aramco, this means every system that touches Aramco-related data needs a backup that runs at minimum once every 24 hours.
Incremental vs. Full Backup Schedules
A practical backup schedule combines incremental and full backups to balance data protection with storage efficiency and backup window constraints:
- Incremental backups capture only the data that has changed since the last backup (incremental or full). They are fast, consume less storage, and can run frequently without impacting system performance. However, restoring from incremental backups requires the last full backup plus every subsequent incremental backup in sequence.
- Differential backups capture all data that has changed since the last full backup. They are larger than incrementals but require only the last full backup plus the most recent differential for restoration.
- Full backups capture the complete data set. They are the simplest to restore from but consume the most storage and take the longest to complete.
Recommended Backup Schedule
| Backup Type | Frequency | Typical Window | Retention |
|---|---|---|---|
| Incremental | Daily (minimum) or every 4-6 hours for critical systems | Off-peak hours (02:00-06:00) | 30 days |
| Full | Weekly | Weekend maintenance window | 90 days |
| Monthly archive | First weekend of each month | Extended maintenance window | 1 year |
| Annual archive | End of fiscal year | Planned downtime window | 7 years (or as required by contract) |
The auditor will verify your backup schedule by examining backup logs, not just your policy document. Backup logs must show consistent execution matching the documented schedule, with timestamps, data volumes, and completion status for each backup job.
Backup Encryption Requirements
SACS-002 requires encryption for backup data in two states: at rest (while stored) and in transit (while being transferred to storage). Unencrypted backups are a critical audit failure because they represent a data exposure risk -- if backup media is lost, stolen, or accessed by unauthorized personnel, the data is immediately readable.
Encryption at Rest
All backup data stored on disk, tape, or cloud storage must be encrypted using strong cryptographic algorithms. The accepted standards are:
- AES-256 -- the industry standard for symmetric encryption of data at rest. This is the minimum requirement for SACS-002 compliance.
- AES-128 -- acceptable but AES-256 is preferred and demonstrates stronger security posture to auditors.
Encryption keys must be managed separately from the backup data. Storing the decryption key alongside the encrypted backup defeats the purpose of encryption. Key management requirements include:
- Encryption keys stored in a separate, access-controlled system (ideally a hardware security module or dedicated key management service)
- Key rotation at least annually
- Key access restricted to authorized backup administrators only
- Key backup and recovery procedures documented and tested
Encryption in Transit
When backup data is transferred from the source system to the backup storage location -- whether over a local network or across the internet to an off-site facility -- the transfer must be encrypted. Accepted protocols include:
- TLS 1.2 or 1.3 -- for backup transfers over HTTPS or other TLS-wrapped protocols
- SSH/SFTP -- for file-based backup transfers
- IPsec VPN -- for encrypting the network tunnel used for backup replication
- WireGuard VPN -- a modern, high-performance alternative to IPsec for site-to-site backup replication
Unencrypted protocols such as FTP, HTTP, or unencrypted rsync are explicitly non-compliant. The auditor will ask for evidence of the encryption protocol used for backup transport -- typically a configuration screenshot from your backup software or network diagram showing the encrypted tunnel.
Off-Site Backup Storage and Geographic Redundancy
Storing all backups in the same physical location as your production systems defeats the purpose of backup. If a fire, flood, power failure, or other disaster destroys your primary site, your backups are destroyed with it. SACS-002 requires that backup copies are maintained at a geographically separate location from the primary data.
What Counts as Off-Site
The off-site storage location must be far enough from the primary site that a single disaster event cannot affect both locations simultaneously. The general guideline is:
- Minimum distance: Different building, ideally different city or region. Two racks in the same datacenter do not qualify as off-site.
- Different risk zone: The off-site location should not share the same flood zone, seismic zone, or power grid as the primary site.
- Independent infrastructure: Separate power supply, network connectivity, and physical security from the primary site.
Geographic Redundancy Best Practices
For vendors handling Aramco data, best practice is to maintain backup copies in at least two geographically distinct locations. This provides protection against regional disasters and ensures data availability even if one backup site experiences an outage.
| Storage Tier | Location | Purpose | Access Speed |
|---|---|---|---|
| Primary backup | Same datacenter, different storage system | Fast recovery for minor incidents | Minutes |
| Off-site replica | Different datacenter, same region | Recovery from site-level failures | Hours |
| Geographic replica | Different region or country | Recovery from regional disasters | Hours to days |
Data sovereignty note: If your Aramco contract includes data residency requirements, ensure that off-site backup locations comply with those requirements. Backing up data to a datacenter outside the permitted jurisdiction may satisfy the geographic redundancy requirement but violate contractual data residency obligations.
DR Testing Requirements: Annual Minimum with Documented Results
Having a disaster recovery plan on paper is not sufficient. SACS-002 requires that your DR plan is tested at a minimum annually, and that the results of each test are documented in a formal report. DR testing proves that your plan actually works -- that your backups are restorable, your recovery procedures are accurate, and your RTO/RPO targets are achievable.
Types of DR Tests
SACS-002 does not prescribe a specific test type, but auditors expect progressively more rigorous testing as your organization matures. The common test types, from least to most rigorous:
- Tabletop exercise: A discussion-based walkthrough of the DR plan with key stakeholders. Participants talk through each step of the recovery process without actually performing any technical operations. This identifies gaps in the plan documentation but does not validate technical recovery capabilities.
- Component test: Individual backup sets are restored to a test environment to verify data integrity and restoration procedures. This validates that backup data is recoverable but does not test the full end-to-end recovery process.
- Simulation test: A realistic disaster scenario is simulated, and the recovery team executes the DR plan in a test environment. Production systems remain online. This validates the full recovery process including team coordination, communication, and technical procedures.
- Full failover test: Production workloads are actually migrated to the DR environment. This is the most rigorous test and the only way to truly validate RTO/RPO targets, but it carries the highest risk to production operations.
For CCC certification, a combination of component testing and simulation testing is typically expected. At minimum, you should demonstrate that:
- Critical system backups can be restored successfully to a functioning state
- Restored data is complete and consistent (integrity verification)
- The restoration was completed within the documented RTO
- The restored data reflects the expected RPO (no more data loss than the RPO allows)
DR Test Documentation Requirements
Every DR test must produce a formal report that includes:
- Test date and duration: When the test was conducted and how long it took
- Test scope: Which systems and data sets were included in the test
- Test scenario: The disaster scenario that was simulated
- Participants: Names and roles of all personnel involved
- Procedures followed: Step-by-step record of actions taken during recovery
- Results: Whether each recovery objective was met (RPO achieved, RTO achieved, data integrity confirmed)
- Issues identified: Any problems encountered during the test, with root cause analysis
- Remediation actions: Corrective actions taken or planned to address identified issues
- Sign-off: Management approval of the test results and any remediation plan
Backup Verification and Integrity Checks
A backup that cannot be restored is not a backup -- it is a false sense of security. SACS-002 requires regular verification that backup data is intact and restorable. This goes beyond simply checking that a backup job completed without errors.
Verification Methods
- Checksum validation: Compare cryptographic checksums (SHA-256 or SHA-512) of backup data against the original source data. Mismatches indicate data corruption during the backup process or in storage.
- Automated restore testing: Periodically restore backup data to an isolated test environment and run automated checks to verify data completeness and application functionality. This is the gold standard for backup verification.
- Backup log analysis: Review backup job logs for warnings, errors, or incomplete transfers. A "completed with warnings" status should be investigated, not ignored.
- Storage media health monitoring: Monitor the health of backup storage media (disk SMART data, tape read error rates, cloud storage provider health dashboards) to detect degradation before it causes data loss.
Recommended Verification Schedule
| Verification Activity | Frequency | Evidence Produced |
|---|---|---|
| Backup job log review | Daily (automated alerts for failures) | Daily status report or monitoring dashboard screenshot |
| Checksum validation | Weekly (for critical systems) | Checksum comparison report |
| Test restoration of sample data | Monthly | Restoration test report with data integrity confirmation |
| Full system restoration test | Quarterly | Full DR test report (see DR testing section above) |
| Storage media health review | Monthly | Storage health report |
Data Restoration Procedures and Testing
Your restoration procedures must be documented in sufficient detail that any qualified member of your IT team can execute them -- not just the person who set up the backup system. If your backup administrator is unavailable during a disaster (a realistic scenario), other team members must be able to restore data following the documented procedures.
Restoration Procedure Documentation
Each restoration procedure should include:
- Prerequisites: Hardware, software, credentials, and network access required before restoration can begin
- Backup location: Exact location of backup files, including access URLs, credentials, and storage paths
- Step-by-step instructions: Numbered steps with commands, screenshots, or configuration parameters for each action
- Verification steps: How to confirm that the restoration was successful -- specific data points to check, services to test, and validation queries to run
- Rollback procedure: What to do if the restoration fails or produces corrupted data
- Communication plan: Who to notify at each stage of the restoration process (management, affected users, Aramco contact if applicable)
- Estimated duration: Expected time for each step and total restoration time, aligned with your RTO target
Restoration Priority Matrix
Not all systems should be restored simultaneously. Your DR plan must define a restoration priority order that reflects business criticality:
| Priority | Systems | Target Restoration Time | Rationale |
|---|---|---|---|
| P1 -- Critical | Core business applications, databases, ERP, financial systems | 0-4 hours | Direct impact on Aramco deliverables and contractual obligations |
| P2 -- High | Email, file servers, collaboration tools, VPN/remote access | 4-8 hours | Required for team communication and continued operations |
| P3 -- Medium | Internal tools, project management, development environments | 8-24 hours | Supports operations but not immediately critical |
| P4 -- Low | Archival systems, reporting dashboards, non-critical web services | 24-72 hours | Can tolerate extended downtime without business impact |
How MassiveGRID's Backup and DR Component Works
Building a SACS-002-compliant backup and disaster recovery infrastructure from scratch requires significant investment in storage hardware, software licensing, network connectivity between sites, and ongoing operational expertise. For small and mid-size vendors, this represents a disproportionate burden relative to their IT budgets.
MassiveGRID's CCC-compliant infrastructure package includes a fully managed Backup and DR component that satisfies every SACS-002 backup requirement out of the box. Here is how each capability maps to the standard's requirements.
Automated Daily Backups
Backups are fully automated with no manual intervention required. The system runs daily incremental backups and weekly full backups on a pre-configured schedule. Backup jobs are monitored 24/7 by MassiveGRID's operations team, with automated alerts for any job failures or anomalies. Every backup generates a timestamped log entry with job status, data volume, duration, and checksum validation results -- ready for auditor review.
Geo-Redundant Storage Across 4 Datacenters
Backup data is automatically replicated across MassiveGRID's network of 4 geographically distributed datacenters (New York, London, Frankfurt, and Singapore). Each datacenter operates on independent power, cooling, and network infrastructure. This architecture ensures that a complete failure at any single site -- or even a regional disaster -- does not result in data loss. The replication process is encrypted end-to-end using AES-256 encryption in transit and at rest.
| Datacenter | Location | Backup Role | Encryption |
|---|---|---|---|
| NYC | New York, USA | Primary + replica target | AES-256 at rest, TLS 1.3 in transit |
| LON | London, UK | Primary + replica target | AES-256 at rest, TLS 1.3 in transit |
| FRA | Frankfurt, Germany | Primary + replica target | AES-256 at rest, TLS 1.3 in transit |
| SIN | Singapore | Primary + replica target | AES-256 at rest, TLS 1.3 in transit |
One-Click Restoration
Data restoration is accessible through MassiveGRID's management portal with a single-click restore interface. You select the backup point (date and time), the target system, and initiate the restoration. The system handles the decryption, data transfer, and integrity verification automatically. For full server restorations, the system provisions a new server instance, restores the complete system image, and validates functionality before making the restored system available.
This eliminates the risk of restoration procedure errors -- one of the most common causes of failed recoveries. The one-click interface means that any authorized team member can initiate a restoration without specialized backup administration knowledge, directly addressing the "bus factor" concern in your DR planning.
DR Testing with Documented Reports
MassiveGRID conducts quarterly DR tests on your behalf and provides comprehensive test reports formatted for CCC audit submission. Each report includes the test date, scope, scenario, step-by-step execution log, restoration time measurements (compared against your RTO target), data integrity verification results, and management sign-off fields. These reports are stored in your compliance documentation portal alongside your backup logs and DR plan.
You can also initiate your own DR tests at any time through the management portal. The system provisions an isolated test environment, restores your selected backup point, and generates a timestamped test report -- all without affecting your production systems.
Configurable Retention Policies
Retention policies are fully configurable through the management portal. You can set different retention periods for daily, weekly, monthly, and annual backups -- matching the tiered retention schedule recommended for SACS-002 compliance. The system automatically manages backup lifecycle, purging expired backups according to your policy while ensuring that the minimum retention requirements are always met.
Default retention settings align with SACS-002 recommendations:
- Daily incrementals: 30 days
- Weekly full backups: 90 days
- Monthly archives: 1 year
- Annual archives: 7 years (configurable)
Encrypted Backup Transport
All backup data transfers use TLS 1.3 encryption in transit. Data at rest in all backup storage locations is encrypted with AES-256. Encryption keys are managed through MassiveGRID's dedicated key management infrastructure, with automatic key rotation and access logging. Customers receive encryption configuration documentation as part of their audit evidence package.
Audit Evidence: What to Prepare for the Assessor
When the CCC auditor reviews your backup and DR controls, they will request specific evidence. Having this evidence organized and readily accessible accelerates the audit and demonstrates mature security practices. The following table outlines what you need.
| Evidence Type | Description | Format | Frequency of Update |
|---|---|---|---|
| Backup policy document | Formal policy covering scope, schedule, encryption, retention, roles, and procedures | PDF with management signature | Annual review (minimum) |
| Backup job logs | Timestamped records of every backup job showing status, volume, duration, and checksum | CSV/PDF export from backup system | Daily (automated) |
| Encryption configuration | Screenshots or configuration exports showing AES-256 at rest and TLS 1.3 in transit | Screenshots + configuration file excerpts | On change |
| Off-site storage evidence | Documentation of backup storage locations showing geographic separation | Datacenter addresses, network diagrams | On change |
| DR plan document | Complete disaster recovery plan with RPO/RTO targets, restoration priorities, and runbooks | PDF with management signature | Annual review (minimum) |
| DR test reports | Formal reports from each DR test including results, issues, and remediation actions | PDF with test execution details | Quarterly (recommended) or annual (minimum) |
| Restoration test records | Records of successful data restoration tests with integrity verification | Test log with screenshots | Monthly (recommended) |
| Key management documentation | Encryption key rotation schedule, access controls, and key recovery procedures | Policy document + audit log | Annual review |
Common Backup-Related Audit Failures
Based on typical CCC assessment findings, these are the most frequent backup and DR failures that result in non-conformities. Each one is avoidable with proper planning and tooling.
1. No Formal Backup Policy
The vendor performs backups but has no written policy document. The auditor asks for the backup policy and receives a blank stare or a verbal explanation. This is an immediate non-conformity. Without a documented policy, there is no baseline for auditing backup practices.
Fix: Create a formal backup policy document covering all required elements (see the documented backup procedures section above). Have it approved by management before the audit.
2. Backups Not Encrypted
The vendor backs up data to an external hard drive or NAS without encryption. If that device is lost, stolen, or accessed by unauthorized personnel, the data is immediately exposed. This fails the encryption at rest requirement.
Fix: Enable AES-256 encryption on all backup storage. If using a managed backup service, verify that encryption is enabled and obtain configuration evidence.
3. No Off-Site Copy
All backups are stored on the same server, in the same rack, or in the same datacenter as the production system. A single physical event (fire, flood, power failure) destroys both the original data and all backups.
Fix: Implement off-site backup replication to a geographically separate location. Verify that the off-site location is truly independent (different power grid, different flood zone).
4. Never Tested Restoration
The vendor has been running backups for months or years but has never actually tested whether those backups can be restored. When the auditor asks for DR test results, there are none. This is one of the most dangerous failures because it means the vendor has no evidence that recovery is actually possible.
Fix: Conduct a restoration test immediately. Start with a component test (restore a single backup set to a test environment) and work toward a full simulation test. Document the results.
5. Backup Logs Show Gaps or Failures
The vendor's backup logs show missed backup windows, failed jobs that were never investigated, or periods with no backup activity at all. Inconsistent backup execution indicates a lack of monitoring and operational discipline.
Fix: Implement automated backup monitoring with immediate alerts for failures. Review backup logs daily. Investigate and resolve every failure within 24 hours. Document the root cause and corrective action for each failure.
6. RPO/RTO Not Defined
The vendor performs backups but has never formally defined RPO or RTO targets. Without these targets, there is no way to measure whether the backup and DR capability is adequate for business needs.
Fix: Conduct a business impact analysis to determine appropriate RPO and RTO values for each system classification. Document these targets in your DR plan and validate them through testing.
7. DR Plan Not Reviewed or Updated
The vendor created a DR plan two years ago but has never reviewed or updated it. Systems have changed, staff have rotated, and the plan references servers that no longer exist. An outdated DR plan is almost as bad as no plan at all.
Fix: Review and update your DR plan at least annually, or whenever significant infrastructure changes occur. Document each review with a date, reviewer names, and change log.
Backup and DR Compliance Checklist
Use this checklist to assess your readiness before the CCC audit. Every item must be addressed for a clean backup and DR assessment.
Policy and Documentation
- Formal backup policy document exists, is approved by management, and is dated within the last 12 months
- Backup policy defines scope, schedule, retention, encryption, storage locations, and roles
- Disaster recovery plan exists with defined RPO and RTO targets for each system classification
- Restoration procedures are documented with step-by-step instructions
- Restoration priority matrix is defined and documented
Technical Controls
- Daily backups are running for all systems that process Aramco-related data
- Both incremental and full backup schedules are configured and running
- Backup data is encrypted at rest using AES-256 (or equivalent)
- Backup transfers are encrypted in transit using TLS 1.2+ or VPN tunnel
- Encryption keys are managed separately from backup data with documented key rotation
- Backup copies exist at a geographically separate off-site location
- Backup retention policies are configured and enforced (minimum 90 days for operational backups)
Testing and Verification
- Backup integrity checks (checksums) run at least weekly for critical systems
- Test restorations are performed at least monthly
- Full DR test has been conducted within the last 12 months
- DR test report exists with results, issues, and remediation actions documented
- All test results demonstrate RPO and RTO targets are achievable
Monitoring and Operations
- Backup job logs are available for the last 12 months with no unexplained gaps
- Automated monitoring alerts are configured for backup job failures
- Failed backup jobs are investigated and resolved within 24 hours, with root cause documented
- Backup schedule matches the documented policy (no discrepancies)
Connecting Backup and DR to the Full CCC Picture
Backup and disaster recovery is one component of a broader SACS-002 compliance posture. It works alongside access controls, network security, email security, endpoint protection, and governance policies to form a complete security framework. A vendor with excellent backup practices but no firewall, no MFA, or no email security will still fail the CCC assessment.
The MassiveGRID Aramco CCC-Compliant Infrastructure Package delivers backup and DR as one integrated component alongside managed firewall, VPN, encrypted file hosting, private email with SPF/DKIM/DMARC, endpoint protection, and MFA-enforced access controls. Every component generates audit evidence automatically, and the entire package is designed to pass SACS-002 technical controls without requiring your team to build and manage the infrastructure independently.
Learn more about the full CCC-compliant infrastructure package →