MP.L2-3.8.9 Protect Backups

Protect the confidentiality of backup CUI at storage locations.

Source: NIST SP 800-171 Rev 2 3.8.9

Discussion: Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.

Assessment Objectives:

Determine if:

Examine: [SELECT FROM: Procedures addressing system backup; security plan; backup storage location(s); system backup logs or records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system backup responsibilities; personnel with information security responsibilities].

Test: [SELECT FROM: Organizational processes for conducting system backups; mechanisms supporting or implementing system backups].

SPRS Score: 1

POA&M Allowed: Yes