03.08.09: System Backup – Cryptographic Protection

Control Familly: Media Protection

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

  • SP 800-34 [52]

  • SP 800-130 [53]

  • SP 800-152 [54]

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.08.09

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

  • CP-09

  • CP-09(08)

a. Protect the confidentiality of backup information.

b. Implement cryptographic mechanisms to prevent the unauthorized disclosure of CUI at backup storage locations.

Discussion:

The selection of cryptographic mechanisms is based on the need to protect the confidentiality of backup information. Hardware security module (HSM) devices safeguard and manage cryptographic keys and provide cryptographic processing. Cryptographic operations (e.g., encryption, decryption, and signature generation and verification) are typically hosted on the HSM device, and many implementations provide hardware-accelerated mechanisms for cryptographic operations. This requirement is related to 03.13.11.

Assessment Methods and Objectives

Examine [SELECT FROM: contingency planning policy and procedures; procedures for system backup; contingency plan; system design documentation; system configuration settings; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with system backup responsibilities; personnel with information security responsibilities]

Test [SELECT FROM: mechanisms for supporting or implementing the cryptographic protection of backup information]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.08.09.a: the confidentiality of backup information is protected.

A.03.08.09.b: cryptographic mechanisms are implemented to prevent the unauthorized disclosure of CUI at backup storage locations.