Back to Control Explorer



Control Acronym




CMMC Level


800-171 Control #


CMMC Description

Protect the confidentiality of backup CUI at storage locations.

CMMC Clarification

You protect the confidentiality of information to ensure that it remains private and unchanged. Methods to ensure confidentiality may include: * encrypting files * managing who has access to the information * physically securing devices and media that contains CUI * managing the use of information. * Storage locations for information are varied, and may include: * external hard drives * USB flash drives * disc media (e.g., CD, DVD, Blu-Ray) * Networked Attached Storage (NAS) * cloud backup * FTP, FTP Secure, SFTP. Example You are in charge of protecting CUI for the company. You need to protect the confidentiality of backup data. You encrypt all your CUI data as it is saved on an external hard drive. Only people who are on the contract can access the hard drive. You secure the external hard drive in a physical location accessible only to people with permission.

800-171 Description

Protect the confidentiality of backup CUI at storage locations.

800-171 Discussion

Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.

Other Source Discussion


CIS Control References

NIST 800-53 Control Ref.

NIST 800-53 Rev 4 CP-9

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.8.9

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

RE.2.138.[a] the confidentiality of backup CUI is protected at storage locations.

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15