Level 5 CMMC - CMMC Practices

RE.2.138  

Reference: CMMC 1.02

Family: RE

Level Introduced: 2

Practice:
Protect the confidentiality of backup CUI at storage locations.

CMMC Clarification:
You protect the confidentiality of information to ensure that it remains private and unchanged. Methods to ensure confidentiality may include:
• encrypting files;
• managing who has access to the information;
• physically securing devices and media that contains CUI; and
• managing the use of information.
Storage locations for information are varied, and may include:
• external hard drives;
• USB flash drives;
• disc media (e.g., CD, DVD, Blu-Ray);
• Networked Attached Storage (NAS);
• cloud backup; and
• FTP, FTP Secure, SFTP.

Example
You are in charge of protecting CUI for the company. You need to protect the confidentiality of backup data. You encrypt all your CUI data as it is saved on an external hard drive. Only people who are on the contract can access the hard drive. You secure the external hard drive in a physical location accessible only to people with permission.

3.8.9

Protect the confidentiality of backup CUI at storage locations.

Discussion:
Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.

Source: NIST Special Publication 800-171 Rev. 2

CP-9

INFORMATION SYSTEM BACKUP

Description:
The organization:
    a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
    b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
    c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
    d. Protects the confidentiality, integrity, and availability of backup information at storage locations.

Supplemental Guidance:
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02