Migrating backups to cloud storage is a practical way for small businesses to gain durability and offsite protection, but when Controlled Unclassified Information (CUI) is involved you must meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 expectations for Media Protection (MP.L2-3.8.9); this post gives a step-by-step, technically specific plan to move backups securely while demonstrating compliance.
Requirement and key objectives
The compliance objective (MP.L2-3.8.9) is to protect backup media containing CUI during transport, storage, and access. For organizations aligned to CMMC 2.0 Level 2 that maps directly to NIST SP 800-171 controls: identify CUI, ensure media confidentiality and integrity in transit and at rest, enforce access controls, and retain evidence of protective measures. Your migration project must document risk decisions, technical controls, and validation steps so an assessor can confirm compliance.
Implementation checklist (practical steps)
Start with an inventory and classification: enumerate backup sets, label which contain CUI, record retention periods and sensitivity level. Choose a cloud provider and deployment model that matches the sensitivity—CUI should be placed in a FedRAMP Moderate (or equivalent DoD-authorized) environment for DoD-related CUI. Technical selection examples: AWS GovCloud or Azure Government for government-focused workloads, or a commercial CSP that can demonstrate FedRAMP Moderate authorization and contractual flow-down for CUI handling.
Implement strong encryption in transit and at rest. For transit use TLS 1.2+ or TLS 1.3 with mutual authentication for backup gateways; disable legacy ciphers. For at-rest protection prefer CSP-managed envelopes with customer-controlled keys: use AES-256-GCM for data encryption and AWS KMS (Customer Managed Keys, CMKs) or Azure Key Vault with HSM-backed keys (FIPS 140-2/3) for key wrapping. For higher assurance, implement client-side encryption (e.g., restic/duplicity with a local KMS or HashiCorp Vault) so encrypted blobs are opaque to the cloud provider. Document decisions: SSE-S3 (server-side encryption) vs SSE-KMS vs SSE-C vs client-side crypto and why you chose one for CUI.
Network design, access control, and least privilege
Design the network path to the cloud to reduce exposure: use a dedicated encrypted tunnel (IPsec VPN) or Direct Connect with private VPC endpoints; avoid public Internet egress for backups containing CUI. Restrict access through IAM policies and role-based access controls—grant backup agents write-only permissions, limit key administrators, and enable MFA for any human access to keys or backup repositories. Technical controls to configure: S3 bucket policies blocking public access, VPC endpoint policies, IAM conditions (aws:SourceIp, aws:SecureTransport), and use of service control policies (SCPs) in multi-account setups.
Small business example scenario
Example: a 30-person subcontractor moves daily image backups and QuickBooks backups to AWS. They create a separate AWS account for backups, enable AWS Backup with vault lock, use SSE-KMS with a CMK in a dedicated KMS account, and restrict KMS key administrators to two named senior staff. Their backup agent runs on-prem with a VPC endpoint to S3 (no public egress). They use lifecycle rules to move older backups to Glacier Deep Archive and implement versioning + MFA Delete on S3 to prevent accidental or malicious deletion. All of these steps are documented in an implementation guide and added to the System Security Plan (SSP) for the NIST mapping.
Integrity, monitoring, and validation
Protect integrity using cryptographic checksums (SHA-256) and store checksums separately or embedded as metadata. Use signed manifests and object-level metadata to detect tampering. Enable comprehensive logging—CSP audit logs (CloudTrail, Activity Logs), storage access logs, and KMS access logs—and forward them to a SIEM or log-aggregation service retained per policy. Periodic restore testing is mandatory: schedule automated full and partial restores to verify backup completeness and readability, and record the results as evidence for compliance.
Retention, disposal, and contractual controls
Define retention consistent with contracts and NARA/DOD guidance where applicable. Implement automated lifecycle policies to expire backups and enforce secure deletion (cryptographic erasure or object deletion with retention windows). Where backups leave organizational control (e.g., third-party backup operator), include contractual flow-down clauses requiring FedRAMP or equivalent, incident notification SLAs, and the right to audit. Keep a documented chain-of-custody for any physical media movement and for administrative key changes.
Risks of not implementing MP.L2-3.8.9
Failure to protect backup media containing CUI exposes your organization to data exfiltration, compromise of sensitive technical or personal information, loss of contracts, and regulatory penalties. Technically, weak encryption, misconfigured buckets, or poor key management can lead to unauthorized access; operationally, missing restore tests or lack of documented controls will show up in audits and assessments, potentially leading to findings or decertification under CMMC/NIST evaluations.
Summary: To migrate backups securely while protecting CUI under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 MP.L2-3.8.9, perform a classification and inventory, choose an authorized CSP, use strong in-transit and at-rest encryption with customer-controlled keys, restrict and monitor access, test restores regularly, and document every design/operational decision in your SSP and evidence packages—these concrete steps minimize risk and create a clear audit trail for assessors.
