What is NIST 800-171 Control 3.8.9?
This control ensures that backups—whether stored locally, offsite, or in the cloud—are protected to preserve the confidentiality of CUI. This includes:
• On-premise backup servers or tapes
• Cloud-based backup services
• Third-party data centers
Backups often contain complete system snapshots, which can expose large volumes of CUI if not protected properly.
Why It Matters
If an attacker gains access to unprotected backups, they can:
• Bypass primary defenses by accessing archived data
• Recover deleted or encrypted CUI
• Leak sensitive files long after they were “secured” elsewhere
Backup storage is a frequent blind spot—this control ensures it’s covered.
How to Implement It
• Encrypt backups using FIPS-validated methods
• Restrict access to backup storage with role-based permissions
• Store backups in physically secure environments (locked rooms, secure data centers)
• If cloud-based, use providers that meet FedRAMP or equivalent standards
• Monitor access to backups and perform regular security audits
Common Mistakes
• Backing up CUI to unencrypted external drives or cloud services
• Assuming cloud backup vendors encrypt by default
• Leaving backup tapes in unsecured locations or vehicles
How Cuick Trac Helps
Cuick Trac ensures backup confidentiality by:
• Encrypting all backups of CUI within the secure enclave
• Offering integration guidance for compliant offsite and cloud-based backups
• Providing audit-ready documentation of backup protection measures
• Helping organizations implement end-to-end data protection, even beyond production systems
With Cuick Trac, your backups are secured—not just stored.
Final CTA
If it’s in your backup, it needs protection. Out of sight doesn’t mean out of scope.
Schedule a Cuick Trac demo and secure your CUI from front-end to fallback.