MP.L2-3.8.9 Protect Backups
Protect the confidentiality of backup CUI at storage locations.
Source: NIST SP 800-171 Rev 2 3.8.9
Discussion: Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.
Assessment Objectives:
Determine if:
- [a] the confidentiality of backup CUI is protected at storage locations.
Examine: [SELECT FROM: Procedures addressing system backup; security plan; backup storage location(s); system backup logs or records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system backup responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for conducting system backups; mechanisms supporting or implementing system backups].
SPRS Score: 1
POA&M Allowed: Yes