CMMC Practice Requirement:

Regularly perform complete and comprehensive data back-ups and store them off-site and offline.

CMMC Requirement Explanation:

Backups are important because they allow to recover from security incidents and systems failures.

Example CMMC Implementation:

Identify key systems in your organization such as your file server and active directory server. Create a backup policy defining the types of backups you perform (e.g. weekly full system backups and daily incremental backups). Backup your key systems in accordance with your backup policy. You must keep full system backups of key systems. You must also ensure that you have at least one offline backup of each of your key systems and keep a copy at an off-site location. There are companies that offer off-site backup storage services.


- Scenario 1:

You have a backup policy requiring that key systems are backed up. Your policy requires daily incremental backups and weekly full backups. It also requires that you keep two offline backups. One stays at your facility and the other is sent to an off-site storage site.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance