Practice MP.L2-3.8.9 Details: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
Newer edit →
VisualWikitext
Created page with "'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == MP.L2-3.8.9 – PROTECT BACKUPS == === SECURITY REQUIREMENT === Protect the confidentiality of backup CUI at storage locations. === ASSESSMENT OBJECTIVES === Det..."
 
No edit summary
Line 1: Line 1:
'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.'''
'''Source of Reference: The official [https://dodcio.defense.gov/cmmc/Resources-Documentation/ CMMC Level 2 Assessment Guide] from the Department of Defense Chief Information Officer (DoD CIO).'''


For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.

Revision as of 00:20, 16 March 2025

Source of Reference: The official CMMC Level 2 Assessment Guide from the Department of Defense Chief Information Officer (DoD CIO).

For inquiries and reporting errors on this wiki, please contact us. Thank you.

MP.L2-3.8.9 – PROTECT BACKUPS

SECURITY REQUIREMENT

Protect the confidentiality of backup CUI at storage locations.

ASSESSMENT OBJECTIVES

Determine if:

[a] the confidentiality of backup CUI is protected at storage locations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

Examine

[SELECT FROM: Procedures addressing system backup; system configuration settings and associated documentation; security plan; backup storage locations; system backup logs or records; other relevant documents or records].

Interview

[SELECT FROM: Personnel with system backup responsibilities; personnel with information security responsibilities].

Test

[SELECT FROM: Organizational processes for conducting system backups;mechanisms supporting or implementing system backups].

DISCUSSION

Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.

FURTHER DISCUSSION

You protect CUI to ensure that it remains private (confidentiality) and unchanged (integrity).Methods to ensure confidentiality may include:

  • encrypting files or media;
  • managing who has access to the information; and
  • physically securing devices and media that contain CUI.

Storage locations for information are varied, and may include:

  • external hard drives;
  • USB drives;
  • magnetic media (tape cartridge);
  • optical disk (CD, DVD);
  • Networked Attached Storage (NAS);
  • servers; and
  • cloud backup.

This practice, MP.L2-3.8.9, requires the confidentiality of backup information at storage locations.

Example

You are in charge of protecting CUI for your company. Because the company’s backups contain CUI, you work with IT to protect the confidentiality of backup data. You agree to encrypt all CUI data as it is saved to an external hard drive [a].

Potential Assessment Considerations

  • Are data backups encrypted on media before removal from a secured facility [a]?
  • Are cryptographic mechanisms FIPS validated [a]?

KEY REFERENCES

  • NIST SP 800-171 Rev 2 3.8.9
Retrieved from "https://cmmcwiki.org/index.php?title=Practice_MP.L2-3.8.9_Details&oldid=872"