MP.L2-3.8.9 — Protect the confidentiality of backup CUI at storage locations.
What this control requires
Protect the confidentiality of backup CUI at storage locations.
Source: CMMC L2 v2.13 MP.L2-3.8.9 / NIST SP 800-171 R2 3.8.9 (official control text).
Why this matters
Backup data is a prime target for adversaries because it often sits in less-monitored locations and contains complete snapshots of sensitive systems and files. If backup media or cloud repositories are compromised, attackers gain access to historical CUI without triggering live-system alarms. This control mandates that all backup copies of CUI—whether stored on physical tape, external drives, or cloud object storage—receive the same confidentiality protections as production data. Encryption at rest and physical security measures ensure that even if backup media is stolen or accessed by unauthorized personnel, the CUI remains unreadable and protected from disclosure.
What evidence assessors expect
Assessors typically look for: screenshot, photo, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on MP.L2-3.8.9.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →