Protect Backups
Protect the confidentiality of backup CUI at storage locations.
What an assessor scores, the objectives
MP.L2-3.8.9 is met only when every one of these 1 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.the confidentiality of backup CUI is protected at storage locations
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For MP.L2-3.8.9, an assessor uses these:
Procedures addressing system backup; system configuration settings and associated documentation; security plan; backup storage locations; system backup logs or records; other relevant documents or records
Personnel with system backup responsibilities; personnel with information security responsibilities
Organizational processes for conducting system backups; mechanisms supporting or implementing system backups
What it means, in context
Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system -level information and user -level information. System-level information includes system-state information, operating system software, application software, and licenses. User -level information includes information other than system-level information.
You protect CUI to ensure that it remains private (confidentiality) and unchanged (integrity). Methods to ensure confidentiality may include: • encrypting files or media; • managing who has access to the information; and • physically securing devices and media that contain CUI. Storage locations for information are varied, and may include: • external hard drives; • USB drives; • magnetic media (tape cartridge); • optical disk (CD, DVD); • Networked Attached Storage (NAS); • servers; and • cloud backup. This requirement, MP.L2-3.8.9, requires the confidentiality of backup information at storage locations. Example You are in charge of protecting CUI for your company. Because the company’s backups contain CUI, you work with IT to protect the confidentiality of backup data. You agree to encrypt all CUI data as it is saved to an external hard drive [a]. Potential Assessment Considerations • Are data backups encrypted on media before removal from a secured facility [a]? • Are cryptographic mechanisms FIPS validated [a]?
What passing evidence looks like
Backups protected at their storage location: encrypted backup sets, access limited, shown from the backup tool settings.
Common ways contractors fail MP.L2-3.8.9
- !The unencrypted USB backup drive in a desk drawer is the classic miss. Encrypt the backup and lock it up, or use a cloud backup with encryption documented.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove MP.L2-3.8.9, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
MP.L2-3.8.9 questions, answered
How many points is CMMC requirement MP.L2-3.8.9 worth?+
MP.L2-3.8.9 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.
Can MP.L2-3.8.9 be placed on a POA&M?+
Yes. A gap on MP.L2-3.8.9 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.
What family does MP.L2-3.8.9 belong to?+
MP.L2-3.8.9 is in the Media Protection (MP) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.8.9