Skip to main content
NetStable
Level 2 MP.L2-3.8.9

Protect the confidentiality of backup CUI at storage locations

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

πŸ“– What This Means

This control requires organizations to ensure that backup copies of Controlled Unclassified Information (CUI) are properly protected when stored, whether on-site or off-site. This means applying cryptographic mechanisms or equivalent physical safeguards to prevent unauthorized access to backup media. For example, backup tapes stored in a secure facility should be encrypted, or if stored in a vault, the physical security of that vault must be sufficient to protect the confidentiality of the data. This ensures that even if backup media is compromised (stolen, lost, or accessed by unauthorized personnel), the CUI remains protected.

🎯 Why It Matters

Backup copies of CUI are prime targets for adversaries because they often contain complete system-level and user-level information, including sensitive defense data, intellectual property, and personal information. The 2021 Colonial Pipeline ransomware attack highlighted how backup compromise can cripple recovery efforts and lead to millions in losses. For DoD contractors, unprotected backups can result in data breaches that violate CMMC requirements, leading to contract loss and significant fines. According to IBM's Cost of a Data Breach Report, stolen backup media contributed to breaches costing an average of $4.35 million. The DoD requires this control because backup systems are often overlooked in security implementations, yet they provide a complete copy of all CUIβ€”making them extremely valuable to adversaries targeting the defense supply chain.

βœ… How to Implement

  1. 1. Enable encryption at rest for all cloud backup services (AWS Backup, Azure Backup, Google Cloud Storage) using customer-managed keys (CMK).
  2. 2. Configure backup retention policies in cloud console to automatically encrypt snapshots and archives.
  3. 3. Use cloud-native key management services (AWS KMS, Azure Key Vault, Google Cloud KMS) to manage encryption keys with proper access controls.
  4. 4. Enable versioning and replication for backup storage buckets with encryption enabled.
  5. 5. Implement access logging for backup storage locations using CloudTrail (AWS), Azure Monitor, or Cloud Audit Logs (GCP).
  6. 6. Set up alerts for unauthorized access attempts to backup storage.
⏱️
Estimated Effort
Implementation typically takes 3-5 days for cloud environments and 5-10 days for on-premise, requiring intermediate to advanced security and backup administration expertise.

πŸ“‹ Evidence Examples

Backup Encryption Configuration

Format: Screenshot/PDF
Frequency: Quarterly or during audits.
Contents: Screenshots showing encryption enabled for all backup jobs, with encryption algorithm and key management documented.
Collection: Export from backup management console or cloud backup service.

Backup Storage Security Policy

Format: PDF
Frequency: Annually or when updated.
Contents: Policy document describing encryption requirements, physical security controls, and access restrictions for backup storage locations.
Collection: Export from document management system.

Backup Media Inventory

Format: Excel/CSV
Frequency: Monthly.
Contents: Inventory of all backup media (tapes, disks, cloud storage) with encryption status, storage location, and access controls documented.
Collection: Export from backup management system or maintain manually.

Off-Site Storage Facility Agreement

Format: PDF
Frequency: When renewed.
Contents: Contract or agreement with third-party storage provider documenting their security measures and encryption requirements.
Collection: Copy of signed agreement.

Backup Access Logs

Format: CSV/JSON
Frequency: Monthly.
Contents: Logs showing access attempts to backup storage locations, including successful and failed access events.
Collection: Export from cloud logging service (CloudTrail, Azure Monitor) or backup system logs.

πŸ“ SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For MP.L2-3.8.9 ("Protect the confidentiality of backup CUI at storage locations"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how CUI on media is protected throughout its lifecycle, including encryption, access controls, marking, transport procedures, sanitization methods, and accountability tracking. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"MP.L2-3.8.9 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to protect the confidentiality of backup cui at storage locations. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"MP.L2-3.8.9 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to protect the confidentiality of backup cui at storage locations. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"MP.L2-3.8.9 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • β€’ Identify all removable media types within the CUI boundary
  • β€’ Document media storage locations (on-site, off-site)
  • β€’ Specify media sanitization and destruction methods
  • β€’ Ensure this control covers all systems within your defined CUI boundary where protect the confidentiality of backup cui at storage locations applies
  • β€’ Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • πŸ“„ Media Protection Policy
  • πŸ“„ Media inventory database
  • πŸ“„ Certificates of destruction
  • πŸ“„ Transport chain-of-custody records
  • πŸ“„ Evidence artifacts specific to MP.L2-3.8.9
  • πŸ“„ POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will check for CUI markings on media, verify encryption is enabled, review the media inventory for completeness, and examine destruction certificates.

πŸ’¬ Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Are all backups containing CUI encrypted at rest using FIPS-validated cryptography?

βœ… YES β†’ Proceed to Q2.
❌ NO β†’ GAP: Enable encryption for all backup jobs immediately. Prioritize backups containing CUI.
Remediation:
Use cloud-native encryption (AWS KMS, Azure Key Vault) or backup software encryption features (Veeam, NetBackup).

Question 2: Are encryption keys for backup data stored separately from the backup media and properly managed?

βœ… YES β†’ Proceed to Q3.
❌ NO β†’ GAP: Implement proper key management using KMS or hardware security modules (HSM) within 1 week.
Remediation:
Never store encryption keys on the same media as encrypted backups.

Question 3: Are physical backup media (tapes, disks) stored in secured, access-controlled locations?

βœ… YES β†’ Proceed to Q4.
❌ NO β†’ GAP: Move backup media to secure storage (locked safe, access-controlled room) within 3 days.
Remediation:
Implement badge-access controls and maintain access logs for physical storage locations.

Question 4: Do you maintain an inventory of all backup media with encryption and storage location documented?

βœ… YES β†’ Proceed to Q5.
❌ NO β†’ GAP: Create and maintain a backup media inventory within 1 week.
Remediation:
Use backup management software inventory features or create manual tracking spreadsheet.

Question 5: Are backup storage access attempts logged and monitored for unauthorized activity?

βœ… YES β†’ Fully compliant.
❌ NO β†’ GAP: Enable access logging for all backup storage locations within 2 days.
Remediation:
Configure CloudTrail (AWS), Azure Monitor logs, or backup system audit logging.

⚠️ Common Mistakes (What Auditors Flag)

1. Backups are not encrypted, only the primary data is encrypted.

Why this happens: Backup encryption not enabled by default in backup software.
How to avoid: Explicitly configure encryption for all backup jobs during initial setup and verify regularly.

2. Encryption keys stored with the backup media.

Why this happens: Convenience or misunderstanding of key management principles.
How to avoid: Use separate key management systems (KMS, HSM) and never co-locate keys with encrypted data.

3. Off-site backup storage security not verified.

Why this happens: Assuming third-party facilities meet security requirements without verification.
How to avoid: Review storage facility certifications (SOC 2, ISO 27001) and conduct site visits if possible.

4. Cloud backup snapshots not encrypted.

Why this happens: Default cloud backup settings may not enable encryption.
How to avoid: Always enable encryption at rest for cloud storage buckets, snapshots, and backup vaults.

5. No monitoring or auditing of backup storage access.

Why this happens: Backup systems treated as "set it and forget it" without ongoing security monitoring.
How to avoid: Implement continuous monitoring and alerting for all backup storage access attempts.

πŸ“š Parent Policy

This practice is governed by the Media Protection Policy

View MP Policy β†’

πŸ“š Related Controls

MP.L2-3.8.1 - Protect (physically control and securely store) system media containing CUI MP.L2-3.8.6 - Implement cryptographic mechanisms to protect CUI during transport SC.L2-3.13.11 - Employ FIPS-validated cryptography when used to protect confidentiality of CUI SC.L2-3.13.16 - Protect the confidentiality of CUI at rest CA.L2-3.12.4 - Develop and maintain system security plans
Previous
MP.L2-3.8.8
Back to MP
Next
PE.L1-3.10.1