Protect the confidentiality of backup CUI at storage locations.
Bold Coast Security Guidance
There must be a practice to physically and logically secure backup data and media. This might include encrypting backup media using FIPS validated encryption, and also physically securing backup media to prevent against unauthorized access. A formal written policy must require specific backup practices.
More prevalent currently is backup to a cloud managed service, where encryption may still be user-controlled, but physical security controls are the responsibility of the provider. Outsourcing responsibility, however, does not outsource risk or accountability.
DRAFT NIST SP 800-171 R2
Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.