CMMC Practice RE.2.138
Protect the confidentiality of backup CUI at storage locations.
Bold Coast Security Guidance
For Level 1 compliance there must be a practice to physically and logically secure backup data and media. This might include encrypting backup media, which most backup software is capable of, and also physically securing backup media to prevent against unauthorized access. For Level 2 compliance, a formal written policy must require specific backup practices.
More prevalent currently is backup to a cloud managed service, where encryption may still be user-controlled, but physical security controls are the responsibility of the provider. Outsourcing responsibility, however, does not outsource risk or accountability.
DRAFT NIST SP 800-171 R2
Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.