CMMC Practice MP.L2-3.8.9 – Protect Backups: Protect the confidentiality of backup CUI at storage locations.
Links to Publicly Available Resources
Discussion [NIST SP 800-171 R2]
Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.
You protect CUI to ensure that it remains private (confidentiality) and unchanged (integrity). Methods to ensure confidentiality may include:
- encrypting files or media;
- managing who has access to the information; and
- physically securing devices and media that contain CUI.
Storage locations for information are varied, and may include:
- external hard drives;
- USB drives;
- magnetic media (tape cartridge);
- optical disk (CD, DVD);
- Networked Attached Storage (NAS);
- servers; and
- cloud backup
This practice, MP.L2-3.8.9, requires the confidentiality of backup information at storage locations.