CMMC MP.L2-3.8.9: Protect Backups of Controlled Unclassified Information
Backup protection is a critical defense against data breaches and ransomware attacks targeting your most sensitive assets. CMMC Level 2 control MP.L2-3.8.9 requires you to safeguard the confidentiality of backup CUI across all storage locations. This guide walks you through compliance requirements and practical implementation strategies.
What this means
This control mandates that your organization implement technical and administrative protections to prevent unauthorized access to backup copies of Controlled Unclassified Information (CUI). Whether backups are stored on-premise, in cloud environments, or with third-party providers, you must ensure confidentiality through encryption, access controls, and secure storage practices. The control recognizes that backups contain the same sensitive data as production systems and deserve equivalent protection.
How to comply
- 1.Encrypt all backup CUI using NIST-approved encryption standards (AES-256 or equivalent) both in transit and at rest
- 2.Implement role-based access controls limiting backup access to only authorized personnel with documented business need
- 3.Maintain a comprehensive backup inventory documenting storage locations, retention periods, and protection mechanisms
- 4.Establish secure backup storage locations with physical and logical access controls separate from primary systems
- 5.Implement multi-factor authentication for backup access and recovery procedures
- 6.Test backup recovery procedures quarterly to verify confidentiality controls remain effective
- 7.Document all backup protection measures and maintain evidence of implementation for audits
Evidence auditors look for
- Encryption certificates or configuration screenshots showing AES-256 encryption enabled on backup storage systems
- Access control logs demonstrating role-based restrictions on who can view, modify, or restore backups
- Backup inventory spreadsheet with storage locations, data classifications, and applied protection controls
- Physical security documentation for backup storage facilities including badge access records
- MFA configuration evidence for backup management interfaces and recovery tools
- Backup restoration test reports with dates and results verifying confidentiality controls
- Backup retention policies linked to data classification and CUI handling requirements
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates backup control documentation by tracking encryption status, access logs, and restoration tests across your infrastructure—eliminating manual evidence gathering and keeping your CMMC audit-ready.
See how GRCWatch handles this control automatically
Start free trial