CMMC Practice Number: MP.L2-3.8.9
CMMC Level: 2 CMMC Domain: Media Protection (MP)
Practice Summary:
Protect the confidentiality of backup CUI at storage locations.
Contents:
CMMC Practice Implementation |
Assessment Objectives
Determine if:
[a] the confidentiality of backup CUI is protected at storage locations.
Practice Clarification (DOD, CMU)
You protect CUI to ensure that it remains private (confidentiality) and unchanged (integrity) [a]. Methods to ensure confidentiality may include:
• encrypting files or media,
• managing who has access to the information, and
• physically securing devices and media that contain CUI.
Storage locations for information are varied, and may include:
• external hard drives,
• USB drives,
• magnetic media (tape cartridge),
• optical disk (CD, DVD),
• Networked Attached Storage (NAS),
• servers, and
• cloud backup.
This practice, MP.L2-3.8.9, requires the confidentiality of backup information at storage locations.
Example
You are in charge of protecting CUI for your company. Because the company’s backups contain CUI, you work with IT to protect the confidentiality of backup data. You agree to encrypt all CUI data as it is saved to an external hard drive [a].
Potential Assessment Considerations
• Are data backups encrypted on media before removal from a secured facility [a]?
• Are cryptographic mechanisms FIPS validated [a]?
Where To Look
- Procedures addressing system backup;
- system configuration settings and associated documentation;
- security plan;
- backup storage locations;
- system backup logs or records;
- other relevant documents or records.
Who To Talk To
- Personnel with system backup responsibilities;
- personnel with information security responsibilities.
Perform Test On
- Organizational processes for conducting system backups;
- mechanisms supporting or implementing system backups.
Additional Information
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by companies to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this requirement. Information system backups reflect the requirements in contingency plans as well as other company requirements for backing up information.
CMMC Practice Background and References (DOD, CMU) |
Practice Discussion:
DISCUSSION FROM SOURCE: NIST SP 800-171 R2
Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed- up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.
CMMC References:
· NIST SP 800-171 Rev 1 3.8.9
· CERT RMM v1.2 MON:SG2.SP4
· NIST 800-53 Rev 4 CP-9