Level 2


Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.

Priority: High  


Category: Business Continuity 

Services Associated with AWS:   

  • AWS Backup, AWS S (Amazon Simple Storage Service), AWS KMS (Key Management Service) 

Services Associated with Azure: 

  • Azure Backup
  • Azure Storage  
  • Azure Key Vault

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how backups are performed
  • Technical: screenshot of backup configurations (cryptography in use) 

Possible Technology Considerations : 

  • Backup Solution
  • Business Continuity / Disaster Recovery (BC/DR) 

What needs to be answered :  

Are data backups encrypted on media before removal from a secured facility? Is the confidentiality and integrity of backup information protected at the storage location? Are data backups encrypted on media before removal from the company’s secured facility? 

Checks for AWS 

  • Confidentiality Protection for Backup CUI at Storage Locations
    Description: This check ensures that organizations have implemented measures to protect the confidentiality of backup Controlled Unclassified Information (CUI) at designated storage locations. Backup information may include system-level and user-level data, and safeguarding its confidentiality is essential to prevent unauthorized access or disclosure.

Checks for Azure:

  • Data Backup Encryption at Storage:
    Description: This check ensures that data backups containing Controlled Unclassified Information (CUI) are encrypted before removal from the secured facility. Azure provides encryption options for backup data, and this policy ensures that encryption is enabled to protect the confidentiality of the data during transportation and storage. Objective: To protect CUI from unauthorized access and disclosure while in transit and at rest in storage.

  • Backup Data Confidentiality and Integrity at Storage:
    Description: This check verifies that the confidentiality and integrity of backup information, including both system-level and user-level data containing CUI, are protected at the designated storage location. It ensures that appropriate access controls, encryption, and monitoring mechanisms are in place to prevent unauthorized access or tampering with backup data. Objective: To maintain the confidentiality of CUI and ensure the data's integrity, minimizing the risk of data breaches or data corruption.

  • Backup Solution Compliance with Business Continuity and Disaster Recovery (BC/DR):
    Description: This check assesses whether the chosen backup solution complies with the organization's Business Continuity and Disaster Recovery (BC/DR) policies and requirements. It verifies that the backup solution adequately addresses data protection, recovery, and continuity needs, especially for data containing CUI. Objective: To ensure that data backups are part of a comprehensive BC/DR strategy, enabling the organization to recover critical data in case of a disaster or data loss event.

  • Key Management Service (KMS) Integration for Backup Encryption:
    Description: This check confirms that Azure Key Management Service (KMS) is integrated with the backup solution to manage encryption keys securely. It ensures that encryption keys used to protect backup data are centrally managed and protected by KMS, reducing the risk of unauthorized access to the keys. Objective: To centralize and secure the management of encryption keys used for protecting backup data, enhancing overall data security.

More Details:   

Backup CUI stored in secure systems with controlled access.