MP.L2-3.8.9 Protect Backups - DIB SCC CyberAssist

CMMC Practice MP.L2-3.8.9 – Protect Backups: Protect the confidentiality of backup CUI at storage locations.

Links to Publicly Available Resources

Acronis – What is a Backup? (Data Backup)
This comprehensive data backup blog explains what a data backup is, why every organization needs one, and some data backup options to consider.
CMMC Level 2 Assessment Guide
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2.
Gartner – Data Center Backup and Recovery Solutions
Gartner product listing and reviews of data backup and recovery solutions
Mimecast – 8 Ways To Protect Backups From Ransomware Attacks
Here are eight ways to protect your organization’s backup data from ransomware attacks.
NIST SP 800-53: CP–9 Information System Backup
NIST resource that defines requirements for system backup activities.
Ntiva – CMMC Section 3.8: Media Protection
This article breaks down CMMC Section 3.8, which focuses on the media protection for media that contains controlled unclassified information (CUI)
TechTarget – What is data backup? An in-depth guide
A comprehensive guide to planning, developing and executing a successful data backup strategy.
U.S. General Services Administration – IT Security Procedural Guide: Media Protection (MP) CIO-IT Security-06-32
This GSA-IT Security MP Procedurals reference provides guidance for the MP security controls identified in NIST SP 800-53 and federal contractor media protection requirements.
US-CERT – Data Backup Options
This paper summarizes the pros, cons, and security considerations of backup options for critical personal and business data.
Veritas – Backup and Recovery of Data: The Essential Guide for Businesses
A comprehensive guide to data backups within your business’s disaster recovery plan.

Discussion [NIST SP 800-171 R2]
Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.

Further Discussion
You protect CUI to ensure that it remains private (confidentiality) and unchanged (integrity). Methods to ensure confidentiality may include:

encrypting files or media;
managing who has access to the information; and
physically securing devices and media that contain CUI.

Storage locations for information are varied, and may include:

external hard drives;
USB drives;
magnetic media (tape cartridge);
optical disk (CD, DVD);
Networked Attached Storage (NAS);
servers; and
cloud backup

This practice, MP.L2-3.8.9, requires the confidentiality of backup information at storage locations.