CMMC Practice Requirement:

Protect the confidentiality of backup “Controlled Unclassified Information” (CUI) at storage locations.

CMMC Requirement Explanation:

Backups containing “Controlled Unclassified Information” (CUI) must stored on an encrypted drive or location to prevent unauthorized access.

Example CMMC Implementation:

Encrypt the digital media where you store backups containing “Controlled Unclassified Information” (CUI). Store these backups in a physically secure location (e.g. a locked room or container). Only allow authorized persons access to your backups.


- Scenario 1:

Your company has a file server containing “Controlled Unclassified Information” (CUI). Because it contains “Controlled Unclassified Information” (CUI) you ensure that backups of the system are saved to an encrypted drive. You keep all backups in a locked room.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance