NIST 800-171 • LEVEL 2 • MEDIA PROTECTION
3.8.9 — System Backup – Cryptographic Protection
Protect the confidentiality of backup information. Implement cryptographic mechanisms to prevent the unauthorized disclosure of CUI at backup storage locations.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- cryptographic mechanisms are implemented to prevent the unauthorized disclosure of CUI at backup storage locations.
- the confidentiality of backup information is protected.
Practitioner Notes
Your backups contain CUI, which means they need the same confidentiality protection as the original data. This practice requires encryption of backup data at the storage location.
Example 1: If you use Windows Server Backup or Veeam, enable encryption on backup jobs. In Veeam, go to Backup Job Settings > Storage > Advanced > Enable backup file encryption and select AES-256. Store the encryption password in a secure password manager like KeePass or your PAM tool — not in a sticky note on the server.
Example 2: For cloud backups (e.g., Azure Backup or AWS Backup), ensure encryption at rest is enabled. In Azure, backups are encrypted at rest with Microsoft-managed keys by default, but for CUI you should use customer-managed keys stored in Azure Key Vault. This gives you full control over the encryption keys and meets the FIPS 140 validation requirements.