CMMC Level 2 Practice 3.8.9: Protect the confidentiality of backup CUI at storage locations

CMMC Level 2 Practice 3.8.9 requires you to keep backup copies of CUI confidential wherever they are stored, including on-site media, off-site vaults, and cloud backup repositories. Operationalize it by inventorying every CUI backup location, encrypting backups (and protecting the keys), restricting and logging access, and retaining repeatable evidence that the control operates. ¹

Key takeaways:

• Treat backups as full-fledged CUI storage locations, not “just recovery data.” ¹
• Encryption plus key management, access control, and audit logging are the fastest path to defensible confidentiality for backup CUI. ¹
• Assessors will look for proof: backup scope, configurations, access lists, and recurring evidence capture tied to your SSP/POA&M. ²

CMMC Level 2 aligns to NIST SP 800-171 Rev. 2, and Practice 3.8.9 is one of the places organizations fail for a simple reason: backup systems sprawl. CUI may be backed up by endpoint agents, virtual machine snapshots, SaaS “recycle bins,” database replicas, tape rotations, and third-party managed backup services. Each of those becomes a “storage location” where CUI confidentiality must be protected. ¹

From a CCO or GRC lead perspective, the fastest way to operationalize 3.8.9 is to turn it into a short set of non-negotiable control outcomes: you know where CUI backups exist, they are encrypted (or otherwise equivalently protected for confidentiality), only authorized personnel can access them, and you can produce evidence on demand that these conditions are true and maintained. ¹

This page focuses on requirement-level implementation guidance: who must comply, what to configure, what to document, and what evidence typically satisfies a CMMC Level 2 assessment. It also calls out common hangups like immutable backups, off-site media handling, and third-party backup operators, with a practical execution plan you can hand to IT and track in governance. ²

Requirement: cmmc level 2 practice 3.8.9: protect the confidentiality of backup cui at storage locations requirement

Practice 3.8.9 expects confidentiality controls for CUI backups wherever they reside: backup repositories, removable media, cloud storage buckets, managed backup platforms, and off-site storage. Your job is to prevent unauthorized disclosure if someone accesses backup files or media, including scenarios like lost tapes, misconfigured cloud storage, over-permissive backup admin roles, or third-party mishandling. ¹

Plain-English interpretation

• If CUI is in a backup, that backup must be protected like any other CUI store.
• “Storage locations” includes any place backup data is written and retained, not just your primary backup server.
• Confidentiality means unauthorized people cannot read the content, even if they can see or copy the backup objects. Encryption with protected keys is the most common way to achieve this in practice. ¹

Who it applies to

Entities: Defense contractors and other federal contractors that handle CUI and must meet CMMC Level 2 requirements. ³

Operational context where it bites:

• Centralized backup platforms (on-prem backup appliances, backup servers, NAS targets).
• Cloud backups (IaaS snapshots, object storage-based backups, cloud-native backup services).
• Endpoint backups and local cache folders created by backup agents.
• Off-site media (tape rotation, removable drives, disaster recovery vaults).
• Third parties that manage backups or store backup media on your behalf. ¹

Regulatory text

Excerpt (framework mapping): “CMMC Level 2 practice mapped to NIST SP 800-171 Rev. 2 requirement 3.8.9 (Protect the confidentiality of backup CUI at storage locations).” ¹

What the operator must do: Implement technical and administrative controls so that backup copies containing CUI remain confidential at every storage location. That typically means (a) identifying where backup CUI exists, (b) applying encryption or equivalent confidentiality protection at rest and for media handling, (c) restricting access to authorized roles, and (d) producing evidence that these protections are consistently applied. ¹

What you actually need to do (step-by-step)

Step 1: Define “backup CUI” scope you can defend

1. Identify CUI-containing systems (your CUI enclave, CUI file shares, CUI SaaS, CUI databases).
2. Enumerate backup mechanisms for each system: snapshots, replication, agent-based backups, exports, “archiving,” and DR copies.
3. Document storage locations: on-site repositories, cloud buckets, immutable vault tiers, tape libraries, and off-site vault providers.
   Deliverable: a “Backup CUI Data Flow + Storage Location Register” that ties each CUI system to its backup locations. ¹

Step 2: Standardize confidentiality controls per backup location type

Use a simple decision matrix:

Backup storage location	Minimum confidentiality control outcome	Typical implementation
On-prem backup repository	Backup content unreadable without authorization	Backup encryption at rest + admin RBAC + OS/storage encryption
Cloud object storage (backup target)	Private bucket/container + encrypted objects	Provider encryption + customer-managed keys where feasible + restrictive IAM
VM snapshots	Snapshot content protected like disks	Encrypt volumes + restrict snapshot permissions
Removable media / tape	Lost media does not disclose CUI	Strong encryption before write + chain-of-custody + locked storage
Third-party managed backup	Third party cannot expose CUI	Contract + access controls + encryption + audit evidence from provider

Your assessor will not accept “we think it’s encrypted” as a control. Pick an implementation pattern per location and document it. ²

Step 3: Implement encryption and protect the keys

Core requirements you should be able to demonstrate:

• Backups are encrypted at rest (backup software encryption, storage-layer encryption, or both).
• Keys are protected and access is limited to a small set of authorized administrators.
• Key operations are logged (key access, rotation events, changes to key policies), to the extent your platform supports it.
• Restore workflows preserve confidentiality (temporary restore locations, staging areas, and downloaded backups are also controlled). ¹

Practical tip: include a rule in your backup standard that prohibits writing unencrypted CUI backups to removable media or unmanaged cloud storage. Make exceptions rare and documented in the POA&M. ¹

Step 4: Lock down access (least privilege + separation of duties)

Do this in your backup platform and in the underlying storage:

1. Define backup roles (backup admin, backup operator, restore requester/approver, auditor/read-only).
2. Remove default broad roles (global admins, inherited domain admins) from backup consoles where possible.
3. Restrict restore privileges; restores are a high-risk data exfil path.
4. Require MFA for backup admin access if your environment policy supports it (tie to your access control practices).
5. Log admin actions and forward logs to your centralized logging/SIEM if you have one. ¹

Step 5: Cover off-site and physical storage controls

If you use tapes or removable drives:

• Encrypt before the media leaves your controlled environment.
• Maintain chain-of-custody (check-in/check-out logs, sealed containers, courier receipts where applicable).
• Store media in locked, access-controlled locations.
• Define destruction or sanitization requirements at end of life and retain certificates of destruction from third parties. ¹

Step 6: Manage third parties that store/operate backups

Where a third party hosts backup repositories or stores media, you need:

• Contract terms requiring confidentiality protections for CUI backups, access restrictions, and breach notification aligned to your obligations.
• Evidence from the provider showing encryption and access controls for your tenant or environment.
• A method to verify changes (quarterly access review, configuration attestation, or reports). ²

Step 7: Operationalize evidence capture (make it repeatable)

Map 3.8.9 to a control owner, a cadence, and an evidence checklist. Daydream-style control operations work well here: you define what “good” evidence looks like, then capture it on a recurring schedule so you are not scrambling before an assessment. ²

Required evidence and artifacts to retain

Assessors generally want objective evidence that is current and tied to your environment. Keep:

• Backup CUI Storage Location Register (systems → backup jobs → repositories → off-site locations). ¹
• Backup architecture diagram showing where CUI flows and where it rests (including DR). ¹
• Backup encryption configuration evidence: screenshots/exported settings showing encryption enabled for relevant jobs/repositories, plus storage encryption settings where applicable. ¹
• Key management evidence: KMS policy exports, key access permissions, and audit logs where available. ¹
• Access control lists / RBAC role definitions for backup consoles and storage, plus evidence of least privilege. ¹
• Restore authorization workflow (ticket examples, approvals, and logs for a restore event). ¹
• Off-site media chain-of-custody logs and storage access logs; destruction certificates for retired media. ¹
• Third-party artifacts: contract clauses, provider encryption attestation, access review results. ²
• SSP/POA&M mapping for 3.8.9 with ownership, implementation statement, and any gaps tracked to closure. ²

Common exam/audit questions and hangups

Expect these during a CMMC Level 2 assessment:

• “Show me all places backup CUI is stored, including cloud and off-site.” ¹
• “Prove backups are encrypted. Is encryption per-job, per-repository, or storage-layer?” ¹
• “Who can restore CUI from backup? Show role assignments and a recent restore ticket.” ¹
• “How do you control encryption keys? Who has access? Where are logs?” ¹
• “If your MSP manages backups, how do you ensure they can’t access CUI improperly?” ²

Hangup to preempt: teams often document encryption for the primary backup repository but miss endpoint caches, SaaS retention, or snapshot permissions. Your register should force completeness. ¹

Frequent implementation mistakes (and how to avoid them)

1. Unknown backup sprawl: Shadow backups in SaaS exports or VM snapshots.
   Fix: require each CUI system owner to attest to backup methods; validate via platform inventory. ¹

2. Encryption enabled, keys overexposed: Too many admins can access KMS or backup encryption passphrases.
   Fix: narrow key admin roles, require ticketed access, and document approvals. ¹

3. Restore path is a data leak: Restores to insecure locations or to non-enclave endpoints.
   Fix: define approved restore targets and log every restore with requester/approver. ¹

4. Third-party blind spot: No evidence from the storage or managed backup provider.
   Fix: bake evidence requirements into the contract and request reports on a set cadence. ²

5. No recurring evidence: Config screenshots taken once, then stale.
   Fix: adopt recurring evidence capture tied to change management and periodic reviews; Daydream can track evidence requests, owners, and due dates in one place. ²

Enforcement context and risk implications

No public enforcement cases specific to this practice were provided in the source catalog, but risk is straightforward: backups are a high-value target because they often contain broad, historical datasets and may bypass day-to-day access controls. A single misconfigured repository or lost unencrypted tape can expose large volumes of CUI. Your control objective is to make unauthorized access yield unusable data. ¹

Practical execution plan (30/60/90-day)

First 30 days (establish scope and control ownership)

• Assign a control owner for 3.8.9 and identify technical owners for each backup platform. ²
• Build the Backup CUI Storage Location Register and validate it with system owners. ¹
• Confirm which backup locations are already encrypted and where gaps exist; open POA&M items for gaps. ²

Days 31–60 (implement and harden)

• Enable encryption for all CUI backup jobs/repositories; document the configuration state. ¹
• Tighten RBAC: remove broad admin groups, restrict restore permissions, and ensure logs are collected. ¹
• For off-site media, implement chain-of-custody and secure storage procedures; align with physical security practices. ¹

Days 61–90 (prove operation and make it repeatable)

• Run an access review for backup administrators and restore privileges; retain evidence. ¹
• Perform a controlled restore test and retain the ticket, approvals, and logs as assessment-ready evidence. ¹
• Operationalize recurring evidence capture (config exports, access lists, provider attestations) and tie it to your SSP/POA&M narrative; Daydream can manage this as a standing control with scheduled evidence requests. ²

Frequently Asked Questions

Does “backup CUI” include VM snapshots and cloud snapshots?

If the snapshot contains CUI, treat it as a backup storage location and protect its confidentiality the same way. Restrict snapshot permissions and ensure underlying volumes are encrypted. ¹

Is storage-layer encryption enough, or do I need backup-software encryption too?

Either can meet the confidentiality objective if it prevents unauthorized disclosure at the storage location and you can prove key protection and access control. Many teams use both to reduce single-point failure and to cover removable media workflows. ¹

How do we handle immutable backups or WORM storage?

Immutability addresses integrity and recovery, but 3.8.9 focuses on confidentiality. Keep immutable backups encrypted and tightly restrict access to the vault or bucket where they reside. ¹

Our MSP manages backups. What evidence do we need from them?

You need contractual requirements plus objective evidence that your backup CUI is encrypted and access is restricted to authorized personnel. Ask for role listings, encryption configuration attestations for your tenant, and audit logs or administrative action reports where available. ²

Do we need to encrypt backup tapes even if they’re stored in a locked facility?

A locked facility helps, but confidentiality risk remains during transport and handling. Encrypting before the tape leaves your control reduces exposure if media is lost, stolen, or mishandled. ¹

What’s the fastest way to get assessment-ready for 3.8.9?

Start with a complete inventory of backup storage locations for CUI, then standardize encryption, RBAC, and logging per location. Maintain recurring evidence tied to your SSP/POA&M so you can show current operation without last-minute collection. ²

Footnotes

1. NIST SP 800-171 Rev. 2

2. DoD CMMC Program Guidance

3. 32 CFR Part 170