MP.L2-3.8.9 Protect Backups

CMMC Practice MP.L2-3.8.9 – Protect Backups: Protect the confidentiality of backup CUI at storage locations.

Links to Publicly Available Resources

Discussion [NIST SP 800-171 R2]
Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.

Further Discussion
You protect CUI to ensure that it remains private (confidentiality) and unchanged (integrity). Methods to ensure confidentiality may include:

  • encrypting files or media;
  • managing who has access to the information; and
  • physically securing devices and media that contain CUI.

Storage locations for information are varied, and may include:

  • external hard drives;
  • USB drives;
  • magnetic media (tape cartridge);
  • optical disk (CD, DVD);
  • Networked Attached Storage (NAS);
  • servers; and
  • cloud backup

This practice, MP.L2-3.8.9, requires the confidentiality of backup information at storage locations.