Backing up Controlled Unclassified Information (CUI) to cloud or offsite storage is essential for business continuity, but it introduces confidentiality and integrity risks that NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2 require you to control—MP.L2-3.8.9 specifically addresses protecting backup CUI in cloud and offsite environments. This guide provides a pragmatic, step-by-step implementation path for small businesses and contractors to meet that control: how to design, configure, and operate backups so they remain protected in transit, at rest, and during handling by third parties.
Requirement & Key Objectives (high-level)
The compliance objective is simple: ensure backups that contain CUI are protected to the same confidentiality and integrity standards as production systems when they are stored offsite or in cloud services. Key objectives include: encrypting backups in transit and at rest, enforcing least-privilege access and multi-factor authentication, validating cloud/offsite provider security posture (e.g., FedRAMP, SOC2), maintaining chain-of-custody and logging, performing periodic restore tests, and implementing secure disposal/retention aligned with NIST SP 800-88.
Step-by-step Implementation
Step 1 — Inventory, Classification, and Policy
Start by inventorying backup targets and classifying whether the data is CUI. Create a Backup & Offsite Storage Policy that explicitly covers CUI: acceptable cloud providers, required encryption standards (e.g., AES-256), key management expectations (customer-managed keys preferred), retention windows, allowed transport methods, and mandatory restore test cadence. For small shops, document which datasets are CUI, where they are backed up (on-prem, AWS, Azure, partner vault), and who is authorized to access those backups.
Step 2 — Choose and Assess Cloud/Offsite Providers
Only use providers that can demonstrate appropriate controls: FedRAMP Moderate/High (for federal workloads), SOC 2 with relevant trust services, or equivalent security attestations. For AWS/Azure/GCP, require encryption at rest with customer-managed keys (CMKs) stored in a FIPS 140-2/3 validated KMS/HSM if available. Contractually require the provider to support logging/retention, non-public access (no public buckets), and data segregation. For physical offsite vaulting partners, require tamper-evident packaging, tracked chain-of-custody, and proof of environmental controls.
Step 3 — Implement Strong Cryptography and Key Management
Encrypt backups end-to-end. Use TLS 1.2+/1.3 for transport and AES-256 for stored objects. Prefer client-side encryption (CSE) or customer-managed server-side encryption (SSE-CMK or equivalent) so that your organization controls keys. Use a KMS/HSM with role separation: backup application service accounts should not be allowed to extract raw key material. Establish key rotation and revocation procedures and log all key usage. For small businesses, managed KMS (AWS KMS, Azure Key Vault) with CMKs and strict IAM controls is a practical pattern.
Step 4 — Enforce Access Controls, Authentication, and Logging
Apply least privilege IAM policies for backup accounts and operators; deny wildcard permissions and require role-based access. Enforce MFA for any administrative access to backup configurations or keys. Use network controls: private endpoints or VPC endpoints to ensure traffic to cloud storage does not traverse the public internet. Enable audit logging (CloudTrail, Azure Monitor, GCP Audit Logs) and export logs to an immutable logging service or a separate account to prevent tampering. Configure alerts for unusual access patterns (e.g., bulk download of backup objects).
Step 5 — Integrity, Versioning, and Restore Testing
Protect integrity by enabling object versioning and immutable retention policies (object lock/retention) where supported; store checksums (SHA-256) with backups and validate during restore. Schedule periodic restore tests and table-top exercises (quarterly for critical CUI) and document results. Automated verification scripts that perform a checksum comparison during restore builds practical assurance and satisfy auditors who will ask for a history of successful restores.
Step 6 — Transport, Physical Offsite Handling, and Disposal
For physical media transported offsite, encrypt the media with AES-256, use tamper-evident seals, and maintain documented chain-of-custody records for every transfer. Use reputable couriers or dedicated vaulting services that provide tracking and environmental guarantees. When media reaches end-of-life, sanitize according to NIST SP 800-88 guidelines—cryptographic erase for drives or physical destruction for non-erasable media—and log sanitization events.
Small Business Example Scenarios
Example A — Cloud-first small contractor: Use Veeam to back up on-prem servers to an S3 bucket in AWS GovCloud or an account configured for FedRAMP Moderate equivalence. Enable S3 server-side encryption with AWS KMS CMKs, enforce bucket policies to block public access, use VPC endpoints for backup traffic, and configure lifecycle rules to move older backups to encrypted Glacier Deep Archive. Test restores quarterly and store KMS key rotation events in immutable logs (separate AWS account).
Example B — Hybrid with physical offsite: Encrypt backups locally with client-side AES-256 using a key stored in an on-prem HSM or managed KMS, send encrypted backup images to an offsite vaulting partner that provides tamper-evident storage, and retain chain-of-custody manifests. Maintain procedural controls that only two authorized employees may access manifests and require MFA to decrypt keys for restores.
Compliance Tips, Best Practices, and Risks of Non-Compliance
Best practices: codify procedures, perform documented risk assessments, include backup protection clauses in subcontractor contracts, and automate restore verification. Use infrastructure-as-code to deploy repeatable secure configurations for buckets/endpoints and enforce policy with preventive controls (SCPs, Azure Policy, GCP Organization Policy). Train staff on handling CUI backups and test incident response scenarios involving backup compromise. Risks of not implementing these controls include unauthorized disclosure of CUI, contract penalties or lost DoD business, reputational damage, and costly forensic/remediation work following a breach.
Summary: Meeting MP.L2-3.8.9 is achievable by combining strong encryption and key management, strict access controls and logging, validated provider selection, documented processes for physical offsite handling, and regular testing. Small businesses should focus on repeatable, auditable controls—use managed cloud services with customer-managed keys, private connectivity, immutable logs, and documented restore tests—to maintain both operational resilience and compliance with NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 requirements.
