NIST 800-171 Control 3.8.9: Protect CUI at Backup Storage Locations
Control 3.8.9 requires organizations to maintain confidentiality safeguards for Controlled Unclassified Information (CUI) stored at backup and recovery sites. This control ensures your backup data receives the same protection as systems in your primary environment, preventing unauthorized access during storage and recovery operations.
What this means
This control mandates that backup copies of CUI—whether held on-site or at third-party facilities—remain encrypted and access-restricted at all times. You must apply the same confidentiality protections to backups as you do to active systems, including encryption in transit and at rest, secure facility controls, and strict access logging.
How to comply
- 1.Encrypt all backup media containing CUI using NIST-approved encryption standards (AES-256 minimum).
- 2.Restrict physical and logical access to backup storage locations to authorized personnel only.
- 3.Maintain an inventory of all backup locations and verify confidentiality controls are deployed at each site.
- 4.Document and enforce access controls for backup retrieval processes, including multi-person authorization where required.
- 5.Conduct regular audits of backup storage areas to confirm encryption, access logs, and environmental controls remain in place.
- 6.Establish secure chain-of-custody procedures when moving backup media between locations.
Evidence auditors look for
- Backup encryption configuration reports showing AES-256 or stronger algorithms applied to all CUI backups.
- Physical security badges, access logs, and facility visitor records for backup storage sites.
- System access control lists (ACLs) limiting backup restore permissions to named individuals.
- Backup media inventory spreadsheets linked to encryption certificates and custody records.
- Third-party backup vendor contracts specifying confidentiality requirements and audit rights.
- Network segmentation diagrams isolating backup infrastructure and restricted access ports.
- Encryption key management records showing secure storage and periodic rotation schedules.
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates backup encryption inventory, third-party control attestation, and access log auditing for 3.8.9—eliminating manual spreadsheet tracking and reducing verification time from hours to minutes.
See how GRCWatch handles this control automatically
Start free trial