Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - MP.L2-3.8.9 – Protect the confidentiality of backup “Controlled Unclassified Information” (CUI) at storage locations.
Understanding the Requirement
This control requires that any backups containing Controlled Unclassified Information (CUI) be protected so unauthorized parties cannot access the data at rest in storage locations. In practice that means encrypting the media where backups are stored, keeping physical storage locations secure, and restricting access only to authorized personnel so the confidentiality objective is maintained.
Technical Implementation
- Encrypt backup media at rest: Use industry-accepted, strong encryption (AES-256 or equivalent) for all backup images and backup volumes. For local disk backups enable full-disk encryption (FDE) or container-level encryption; for file-level backups use encrypted archive formats with authenticated encryption.
- Use key management and separation of duties: Store encryption keys in a managed key store or HSM (hardware security module) or a cloud KMS. Limit key access to a small set of roles (e.g., security officer, designated admin) and log all key usage. Do not store keys on the same device as the backups.
- Protect physical storage locations: Keep backup media (external drives, tapes, removable media) in a locked room, cabinet, or safe with controlled entry. Maintain an inventory, sign-in/sign-out procedures, and regular audits for physical media.
- Secure cloud/backups-to-third-parties: If you use cloud backup services, enable client-side encryption before upload or ensure the provider offers strong server-side encryption and provides proof of key separation. Include encryption and confidentiality requirements in vendor contracts and verify them periodically.
- Access control and logging: Restrict who can read, restore, or export backups through role-based access controls and multifactor authentication. Enable detailed logging and regular review of backup access and restore events to detect unauthorized attempts.
- Test restores and validate encryption: Periodically perform restore drills to verify backups are both recoverable and remain encrypted in storage. Confirm key retrieval and decryption processes work under normal and disaster scenarios; document procedures.
Example in a Small or Medium Business
An SMB with a file server that contains CUI implements this control by changing its backup process. Backups are created nightly to an encrypted backup volume on a central backup server (AES-256) and simultaneously replicated to an encrypted cloud bucket where client-side encryption is applied before transfer. The backup encryption keys are managed in a company KMS with access limited to the IT security lead and the senior systems administrator; keys are never stored on the backup server. Physical backup media (monthly snapshots on external drives) are stored in a locked cabinet in the on-site IT room with access logged and limited to authorized staff. Vendor contracts for the cloud provider include explicit encryption and key-handling requirements and the company performs quarterly audits to verify compliance. Every quarter the IT team carries out a restore test from both the local encrypted volume and the cloud backup to confirm decryptability and recovery time objectives. Staff with information security responsibilities and system administrators receive brief, documented procedures for key handling and backup access to ensure separation of duties and to minimize the risk of accidental exposure.
Summary
Protecting backup CUI requires a combination of encryption, strong key management, physical security, access controls, vendor oversight, and routine testing. For SMBs, practical steps such as encrypting backup volumes with AES-256, using a KMS for key separation, storing physical media in locked facilities, limiting and logging access, and conducting periodic restore tests will satisfy the confidentiality objective while keeping procedures manageable and auditable.
