CMMC v2.13 Practices

MP.L2-3.8.9

Reference: CMMC v2.13

Family: MP

Level Introduced: 2

Title: Protect Backups

Practice:
Protect the confidentiality of backup CUI at storage locations.

Further Discussion:
You protect CUI to ensure that it remains private (confidentiality) and unchanged (integrity). Methods to ensure confidentiality may include:
• encrypting files or media;
• managing who has access to the information; and
• physically securing devices and media that contain CUI.

Storage locations for information are varied, and may include:
• external hard drives;
• USB drives;
• magnetic media (tape cartridge);
• optical disk (CD, DVD);
• Networked Attached Storage (NAS);
• servers; and
• cloud backup.

This requirement, MP.L2-3.8.9, requires the confidentiality of backup information at storage locations.

Example
You are in charge of protecting CUI for your company. Because the company’s backups contain CUI, you work with IT to protect the confidentiality of backup data. You agree to encrypt all CUI data as it is saved to an external hard drive [a].

Potential Assessment Considerations
• Are data backups encrypted on media before removal from a secured facility [a]?
• Are cryptographic mechanisms FIPS validated [a]?

Implementation Strategies

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

800-171 Requirements v2 (1)

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.13

MP.L2-3.8.8

PS.L2-3.9.1