03.08.09 — (a) Protect the confidentiality of backup information. (b) Implement cryptographic mechanisms to prevent the unauthorized disclosure of CUI at backup storage locations.

What this control requires

(a) Protect the confidentiality of backup information. (b) Implement cryptographic mechanisms to prevent the unauthorized disclosure of CUI at backup storage locations.

Source: NIST SP 800-171 R3 §03.08.09 (official control text).

Why this matters

Backup data is a prime target for adversaries because it often contains historical CUI spanning months or years in a single location. If backups are stored unencrypted, a single breach—whether physical theft of backup media, cloud account compromise, or insider access—exposes the entire organizational information repository. Cryptographic protection ensures that even if backup storage is compromised, the CUI remains confidential. This control mandates encryption at rest for all backup repositories, whether on-premises tape libraries, detachable drives, or cloud storage buckets, preventing unauthorized disclosure throughout the backup lifecycle.

What evidence assessors expect

Assessors typically look for: screenshot, configuration export, PDF, photo. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls