CMMC RE.2.138 - Protect CUI at Storage Locations

CMMC RE.2.138 - Protect CUI at Storage Locations

Requirement text: RE.2.138: Protect the confidentiality of backup CUI at storage locations.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Organizations can employ cryptographic mechanisms or alternative physical controls to
protect the confidentiality of backup information at designated storage locations. Backed-
up information containing CUI may include system-level information and user-level
information. System-level information includes system-state information, operating system
software, application software, and licenses. User-level information includes information
other than system-level information.

CMMC CLARIFICATION
You protect the confidentiality of information to ensure that it remains private and
unchanged. Methods to ensure confidentiality may include:
      • encrypting files;
      • managing who has access to the information;
      • physically securing devices and media that contains CUI; and
      • managing the use of information.

Storage locations for information are varied, and may include:
      • external hard drives;
      • USB flash drives;
      • disc media (e.g., CD, DVD, Blu-Ray);
      • Networked Attached Storage (NAS);
      • cloud backup; and
      • FTP, FTP Secure, SFTP.

Example
You are in charge of protecting CUI for the company. You need to protect the confidentiality
of backup data. You encrypt all your CUI data as it is saved on an external hard drive. Only
people who are on the contract can access the hard drive. You secure the external hard drive
in a physical location accessible only to people with permission.

References
• NIST SP 800-171 Rev 1 3.8.9
• CERT RMM v1.2 MON:SG2.SP4
• NIST 800-53 Rev 4 CP-9

    • Related Articles

    • CMMC SC.3.191 - Protect CUI at Rest

      Requirement text: SC.3.191: Protect the confidentiality of CUI at rest. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-17 R2 Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices ...

    • CMMC MP.2.119 - Protect System Media Containing CUI

      Requirement text: MP.2.119: Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 System media includes digital and non-digital media. Digital media ...

    • CMMC RE.5.140 - Implement Resilience Requirements

      Requirement text: RE.5.140: Ensure information processing facilities meet organizationally defined information security continuity, redundancy, and availability requirements. DISCUSSION FROM SOURCE: CMMC This practice is about information system ...

    • CMMC PS.2.128 - Protect CUI during Personnel Terminations and Transfers

      Requirement text: PS.2.128: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Protecting CUI during and after ...

    • CMMC AC.2.006 - Limit Storage Devices

      Requirement text: AC.2.006: Limit use of portable storage devices on external systems. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2  Limits on the use of organization-controlled portable storage devices in external systems include complete ...