CMMC Practice MP.L2-3.8.9

Protect the confidentiality of backup CUI at storage locations.

Bold Coast Security Guidance

There must be a practice to physically and logically secure backup data and media. This might include encrypting backup media using FIPS validated encryption, and also physically securing backup media to prevent against unauthorized access. A formal written policy must require specific backup practices. More prevalent currently is backup to a cloud managed service, where encryption may still be user-controlled, but physical security controls are the responsibility of the provider. Outsourcing responsibility, however, does not outsource risk or accountability.
Security Catapult

Be prepared for CMMC

Our Q&A assessment tool is designed by security advisors for MSPs and DoD contractors of all sizes.

Try now for free

Understand your gaps
Security Catapult

Understand your gaps

See compliance gaps, compliance scores and proactive security tasks in a single interface.

Try now for free

Validate NIST SP 800-171
Security Catapult

Validate NIST SP 800-171

Based on your CMMC answers, we let you know where you stand on NIST.

Try now for free

Build a plan of action
Security Catapult

Build a plan of action

Track your burn down and stay on top of security needs.

Try now for free

Build your policy
Security Catapult

Build your policy

Say goodbye to maintaining a security policy. We do it for you.

Try now for free

Discussion From Source

DRAFT NIST SP 800-171 R2 Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.

References