3.8.9 — Protect Your Backups

The One-Liner

Unprotected backups are a second copy of your CUI with zero security. An attacker who can’t reach your production data might find it in your backups instead.

What It Says

Protect the confidentiality of backup CUI at storage locations.

What It Actually Means

Backups that contain CUI must be protected with the same rigor as your production CUI data. The assessor checks:

1. Encryption at rest. Backup data is encrypted using FIPS-validated cryptography (AES-256). This applies whether backups are stored on local drives, tape, or in the cloud. If someone steals a backup drive, the data must be unreadable.

2. Access restricted. Only designated backup administrators can access backup data — not every IT person, not every sysadmin. RBAC on your backup tool and storage location limits who can browse, restore, or export backup contents.

3. Storage location secured. Physical backups (drives, tapes) are in locked storage. Cloud backups are in a secured tenant with appropriate access controls and encryption. Off-site storage facilities are vetted and secured.

4. Backup integrity tested. Backups must actually work. Regular restore tests verify that encrypted backups can be successfully restored — an untested backup is just optimism.

The assessor will ask: where are your backups, are they encrypted, who can access them, and when did you last test a restore? If any answer is unsatisfying, that’s a finding.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is backup CUI confidentiality protected at storage locations?	Encrypted (AES-256 FIPS-validated); access restricted to backup admins (RBAC); storage location secured (locked room or encrypted cloud); restore tested periodically

---

What to Have Ready on Assessment Day

Documents they’ll review: Media protection policy; backup procedures; encryption configuration for backup storage; access control records for backup systems; restore test records; system security plan

People they’ll talk to: Personnel with backup responsibilities; information security personnel; backup administrators

Live demos they’ll ask for: “Show me your backup encryption configuration.” “Who can access backup data? Show me the RBAC settings.” “Where are backups stored — physically and in the cloud?” “When was the last restore test?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Are your backups encrypted? Show me the configuration.”
• “Is the encryption FIPS-validated?”
• “Who can access backup data? Show me the access controls.”
• “Where are backups stored? Is the location secured?”
• “When did you last test a backup restore? Show me the record.”
• “If an attacker compromised your backup storage, would they get readable CUI?”
• “Are cloud backups encrypted with keys you control?”

Real-World Example

A defense contractor uses Veeam Backup with AES-256 encryption (FIPS mode) for on-premises backups stored on a dedicated NAS in the locked server room. Cloud backups go to Azure Backup with encryption at rest using a customer-managed key stored in Azure Key Vault (FIPS 140-2 Level 2). Backup access is restricted: only two people hold the Veeam console admin role, and Azure Backup RBAC limits the “Backup Operator” role to the same two people. General IT admins have no access to backup data or the backup console. Quarterly restore tests verify backup integrity — the last test restored a CUI file server to an isolated VM and confirmed data integrity. The assessor reviews: Veeam encryption settings, Azure Backup encryption and RBAC configuration, the locked server room where the NAS resides, and the last quarterly restore test record.

---

Where Companies Trip Up

Unencrypted backups. Production CUI is encrypted but backups aren’t — creating an unprotected copy of everything. Enable encryption in your backup tool and verify it’s FIPS-validated.

Access too broad. Every IT team member can browse backup data. If a sysadmin can restore any file from the backup, they effectively have access to all CUI — even data they shouldn’t see in production. Restrict backup access to designated backup administrators.

Cloud backups unverified. Using a cloud backup service but haven’t verified encryption settings, key management, or access controls. Check your provider’s configuration — don’t assume it’s secure by default.

No restore testing. Backups run nightly but nobody has tested a restore in a year. A backup you can’t restore isn’t a backup — it’s wasted storage. Test quarterly and document results.

Off-site storage unsecured. Physical backup tapes at an off-site facility with unknown security controls. Vet your off-site storage provider and ensure they meet your security requirements.

---

How to Talk About This

To a CEO or Board

Backups are encrypted with FIPS-validated cryptography, access is restricted to two designated administrators, and they’re stored in secured locations — both on-premises and in the cloud. We test restores quarterly to verify our backups actually work.

To an Engineering Team

Veeam: AES-256 FIPS mode on-prem. Azure Backup: encryption at rest with customer-managed key in Key Vault. RBAC: Backup Operator limited to 2 designated admins. On-prem NAS: locked server room. Quarterly restore tests documented. Backup inventory tracked. Cloud key rotation per organizational policy.

---

Connected Requirements

Requirement	Why it matters here
3.13.11 — Encrypt CUI at Rest	Encryption at rest applied to backup storage
3.8.1 — Lock Up CUI	Physical protection for backup media
3.8.6 — Encrypt Media in Transit	Encryption for backups transported off-site
3.8.3 — Destroy It Properly	Sanitization of backup media at end of life

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: MP.L2-3.8.9 | SPRS Weight: 1 point | POA&M Eligible: Yes