MP.L2-3.8.9
-
Requirement
Protect the confidentiality of backup CUI at storage locations.
-
Discussion
Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.
-
Further Discussion
You protect CUI to ensure that it remains private (confidentiality) and unchanged (integrity). Methods to ensure confidentiality may include:
- encrypting files or media;
- managing who has access to the information; and
- physically securing devices and media that contain CUI.
Storage locations for information are varied, and may include:
- external hard drives;
- USB drives;
- magnetic media (tape cartridge);
- optical disk (CD, DVD);
- Networked Attached Storage (NAS);
- servers; and
- cloud backup.
This requirement, MP.L2-3.8.9, requires the confidentiality of backup information at storage locations.
Example
You are in charge of protecting CUI for your company. Because the companyā€™s backups contain CUI, you work with IT to protect the confidentiality of backup data. You agree to encrypt all CUI data as it is saved to an external hard drive [a].
Potential Assessment Considerations
- Are data backups encrypted on media before removal from a secured facility [a]?
- Are cryptographic mechanisms FIPS validated [a]?
NIST 800-171A Assessment Guidance
CMMC Training
Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!