NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
3.8.9: Protect the confidentiality of backup CUI at storage locations.
Control Family: Maintenance
Control Type: Derived
SPRS Value: 1
SPRS Supplemental Guidance: N/A
CMMC Level(s): MP.L2-3.8.9
Top Ten Failed Requirement:
No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
CP-9
NIST Supplemental Guidance:
N/A
Discussion:
Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.
Upon assessment, assessors must determine if-
Determine if the confidentiality of backup CUI is protected at storage locations.
Assessors are instructed to-
Examine: [SELECT FROM: Procedures addressing system backup; system configuration settings and associated documentation; security plan; backup storage locations; system backup logs or records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system backup responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for conducting system backups; mechanisms supporting or implementing system backups].
FURTHER DISCUSSION
You protect CUI to ensure that it remains private (confidentiality) and unchanged (integrity). Methods to ensure confidentiality may include:
encrypting files or media;
managing who has access to the information; and
physically securing devices and media that contain CUI.
Storage locations for information are varied, and may include:
external hard drives;
USB drives;
magnetic media (tape cartridge);
optical disk (CD, DVD);
Networked Attached Storage (NAS);
servers; and
cloud backup.
This requirement, MP.L2-3.8.9, requires the confidentiality of backup information at storage locations.
Example
You are in charge of protecting CUI for your company. Because the company’s backups contain CUI, you work with IT to protect the confidentiality of backup data. You agree to encrypt all CUI data as it is saved to an external hard drive [a].
Potential Assessment Considerations
Are data backups encrypted on media before removal from a secured facility [a]?
Are cryptographic mechanisms FIPS validated [a]?
Frameworks & Controls
3.8.2: Limit access to CUI on system media to authorized users.
3.8.3: Sanitize or destroy system media containing
CUI before disposal or release for reuse.3.8.4: Mark media with necessary CUI markings and distribution limitations.
3.8.7: Control the use of removable media on system components.
3.8.8: Prohibit the use of portable storage devices when such devices have no identifiable owner.
3.8.9: Protect the confidentiality of backup CUI at storage locations.