Backups are where companies lose security control. They focus on protecting production data and forget the backups sitting in a vault or cloud storage. The assessor specifically looks at backups because they’re often the weakest link. A backup contains data from six months ago. If a backup is exposed, your security incident is not days old, it’s months old. Backup protection extends MP.L2-3.8.1 (media protection) to archival storage and complements MP.L2-3.8.3 (media sanitization).
MP.L2-3.8.9 At a Glance
- Encrypt all backup media containing CUI
- Restrict access to backup systems and restore operations
- Implement strong authentication for backup administration
- Log all backup operations and restore requests
- Verify backups are successful and restorable
- Retain backups according to retention schedule only
- Sanitize backup media before reuse or disposal
What the assessor is actually evaluating
The assessor wants to know three things. First, are backups encrypted? Second, who can access and restore backups? Third, are old backups properly destroyed? If a backup is not encrypted, the assessor will fail you immediately. If anyone can restore a backup, you’ve failed access control. If you have backups from five years ago still in storage, you’ve failed retention.
Cloud backups are often easier to control than physical backups. Cloud providers encrypt at rest. You control restore permissions through IAM. You set retention policies and the cloud handles deletion. But you still need to document it. Pull up your Azure Backup settings. Show encryption. Show who has access. Show retention policy.
Physical backups (tape, external drives, offline storage) are harder. You need to track where tapes are, who has access, how they’re encrypted, and when they’ll be destroyed. A tape in the wrong storage location is a security failure. A tape with no encryption label is a concern. A tape that should have been destroyed but is still in the vault is a problem.
For most companies doing CMMC, cloud backup is the path of least resistance. Local backups are cheaper but require more administrative control. Either way, you need to document the controls and verify they work.
What a realistic SSP definition looks like
Example SSP Language
"Organization protects CUI at backup storage locations with complete controls matching production environments.
Cloud Backup (Primary Method): Organization uses Azure Backup or AWS Backup for all CUI. Backups are encrypted at rest with AES-256 by the cloud provider. Access to restore operations is restricted to IT leadership and approved staff. Restore requests require multi-factor authentication and manager approval. Restore operations are logged and reviewed weekly. Backup retention is 90 days for daily backups, 12 months for monthly backups. Beyond retention, backups are automatically deleted.
Backup Access Controls: Only the CISO and backup administrator can initiate restore operations. Database administrators can request restores but cannot execute them without approval. Restore logs are reviewed monthly for unauthorized attempts. Any failed restore attempt triggers an incident investigation.
Verification and Testing: Backup success is monitored daily. A backup is considered successful only if verification confirms the backup completed without errors and the data is restorable. Monthly, a test restore is performed on non-production systems to verify backup integrity. Restore test results are documented.
Physical Backup (Secondary/Archival): If backup tapes are used for long-term archival, tapes are encrypted before leaving the facility. Tapes are stored in a secure off-site location with controlled access. Tape inventory is maintained with serial numbers and locations. Tapes beyond retention schedule are returned to the vendor for destruction. Destruction certificates are obtained and retained.
Incident Response: If a backup is lost, stolen, or accessed without authorization, the incident is reported to the CISO and affected parties immediately. An investigation determines whether data was compromised. If data was encrypted, exposure is minimal."
How to present your evidence
Evidence Checklist for MP.L2-3.8.9
- Backup Policy: Written policy documenting what data is backed up, where, retention schedule, and how it's protected
- Cloud Backup Configuration: Screenshots of Azure Backup, AWS Backup, or equivalent showing encryption, access controls, and retention settings
- Backup Access Matrix: Documentation of who can access and restore backups
- Backup Success Reports: Daily or weekly reports showing backups completed successfully
- Verification Tests: Monthly test restore results confirming backups are restorable
- Restore Request Log: Records of all backup restore requests, approvals, and who performed the restore
- Physical Backup Inventory: If using tapes, list of tape locations, encryption status, and retention schedule
- Destruction Certificates: Certificates showing backup media was properly sanitized or destroyed
- Incident Reports: Any backup-related incidents (loss, theft, unauthorized access) and resolution
Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.
What You'll Hear in the Assessment Room
Assessor: "Walk me through your backup strategy. Where are CUI backups stored?"
What works: "We use Azure Backup for daily backups. All backups are encrypted with AES-256. We retain daily backups for 90 days and monthly backups for 12 months. Beyond that, they're deleted automatically." [Pull up Azure Backup configuration]
Assessor: "Who can restore a backup?"
What works: "Only the CISO and backup administrator can initiate restores. Any restore request requires multi-factor authentication and approval from management. Here's our restore policy." [Pull up access control matrix and restore log]
Assessor: "Show me evidence that backups are working. When was the last successful backup?"
What works: "Here's yesterday's backup report. All systems completed successfully. Here are the last 30 days of backup reports. Every backup succeeded." [Pull up daily backup success reports]
Assessor: "Do you ever test your backups? How do you know they're restorable?"
What works: "Yes, monthly. We do a test restore on a non-production system. Here are the test results from last month. The restore completed successfully and data integrity was verified." [Pull up monthly restore test documentation]
Assessor: "What's your retention schedule? How long do you keep backups?"
What works: "Daily backups are kept for 90 days. Monthly backups are kept for 12 months. Older backups are automatically deleted by Azure Backup. This is configured in our backup policy." [Show policy and Azure retention settings]
Assessor: "Have backups ever been lost or accessed without authorization?"
What works: "Once, two years ago. A backup tape was lost during transport to an archive facility. The tape was encrypted so even if someone found it, they couldn't access the data. We reported the incident and improved our tape tracking procedures." [Pull up incident report and remediation]
Assessor: "How do you dispose of old backups?"
What works: "Cloud backups are automatically deleted when the retention period expires. Physical tapes, if we have any, are returned to the vendor for destruction. We obtain a destruction certificate for each tape. Here are our destruction certificates from the past year." [Pull up certificates]
Common failures
Why Companies Fail MP.L2-3.8.9
- Backups are not encrypted. Cloud backups exist but encryption is not enabled. Assessor asks how backups are protected and finds no encryption. Immediate failure.
- Anyone can restore a backup. Access to the backup system is not controlled. A junior IT staff member can restore any backup without approval. This violates access controls.
- No one knows if backups are working. The company pays for backups but never verifies they're successful. No one monitors backup reports. When a disaster occurs, backups don't work.
- Backups are kept forever. There's no retention schedule. Backups from 10 years ago are still in the archive. When data is breached, the exposure is worse because old backups contain old data.
- Physical backups are not sanitized. Backup tapes are decommissioned and thrown away without wiping or destruction certificates. Someone finds a tape in the trash with unencrypted data.
- Restore requests are not logged. No one tracks who restores what, when, or why. If a backup is accessed inappropriately, there's no audit trail.
- Encryption key is not managed. Backups are encrypted but the encryption key is not managed separately from the backup. If the backup is lost, the key is lost too.
How to Pass MP.L2-3.8.9
- Choose cloud backup. Azure Backup or AWS Backup handle encryption, access control, and retention automatically. Document your configuration and you're done.
- Enable encryption. Whatever backup system you use, encryption at rest is non-negotiable. Enable it and document it.
- Restrict access. Only designated staff can perform restore operations. Require approval and multi-factor authentication. Log all restore requests.
- Test monthly. Pick one system and do a test restore monthly. Document the results. This proves backups work and are restorable.
- Set retention schedule. Define how long you keep daily, weekly, and monthly backups. Delete old backups on schedule. Document the schedule.
- Monitor success. Set up alerts for failed backups. Review backup reports weekly or monthly. If a backup fails, fix it immediately.
- Manage destruction. When backups reach end-of-life, encrypt them, sanitize them, or get a destruction certificate. Don't just delete them and hope.
Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.
If you use an MSP/MSSP
Backup Protection with Managed Service Providers
If your MSP manages backups, require them to provide monthly reports showing backup success, encryption, access controls, and retention. Confirm they have the same encryption standards you require (AES-256 minimum). Verify that restore requests require your approval. Request a copy of their backup procedures and verify they meet NIST SP 800-171 standards. Include backup protection in your SLA and incident response agreement. If a backup is ever lost or accessed without authorization, your MSP must notify you within 24 hours. Do not assume backups are secure just because they're managed by someone else. Verify through documentation and testing that backups meet your security requirements.
Disclaimer: This guide is for educational purposes. CMMC Level 2 assessments are conducted by Authorized C3PAO partners. Consult the official NIST SP 800-171 standard and your assessor for definitive requirements.