Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.

Priority: High  

Category: Business Continuity 

Services Associated with AWS:   

  • AWS Backup, AWS S (Amazon Simple Storage Service), AWS KMS (Key Management Service) 

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how backups are performed
  • Technical: screenshot of backup configurations (cryptography in use) 

Possible Technology Considerations : 

  • Backup Solution
  • Business Continuity / Disaster Recovery (BC/DR) 

What needs to be answered :  

Are data backups encrypted on media before removal from a secured facility? Is the confidentiality and integrity of backup information protected at the storage location? Are data backups encrypted on media before removal from the company’s secured facility? 

  • Confidentiality Protection for Backup CUI at Storage Locations
    Description: This check ensures that organizations have implemented measures to protect the confidentiality of backup Controlled Unclassified Information (CUI) at designated storage locations. Backup information may include system-level and user-level data, and safeguarding its confidentiality is essential to prevent unauthorized access or disclosure.

More Details:   

Backup CUI stored in secure systems with controlled access.