3.8.9 has a weight of -1 points

(Media Protection Family) 9/9

Protect the confidentiality of backup CUI at storage locations.

Video:

Example of System Security Plan (SSP):

    System Security Plan (SSP) for Data Backup and Encryption

    1. Control Identifier: 3.8.9

    This control is implemented. All cloud-based digital CUI is read-protected, allowing access only to those who are authorized on a need to know basis.

    2. Purpose:
    To ensure the confidentiality, integrity, and availability of all backup data, particularly containing Controlled Unclassified Information (CUI), by using secure, compliant, and encrypted backup methods and practices.

    3. Control Description:
    Our organization has adopted strict measures to guarantee that backup data, particularly CUI, remains protected at all times. This encompasses encryption during transit and at rest, naming conventions that obscure the nature of the content, and stringent access controls.

    4. Implemented Measures:

    4.1 Secure Backup Processes:

    • All data is backed up via secure, compliant methods, ensuring data availability and integrity.
    • Backup data, including system and user-level information, is stored in alternative physical locations to provide redundancy and protection against localized incidents.

    4.2 Encryption Measures:

    • All backup data is fully encrypted during both transit and storage phases.
    • Encryption methods adhere to industry best practices and utilize private key encryption, ensuring the highest level of security.

    4.3 Naming Conventions:

    • We employ non-specific naming conventions for backup files to obfuscate the content and purpose of the backups.
    • This approach ensures that names like “super secret department of defense project backup” are avoided.

    4.4 Access Control:

    • All backup data is password protected, ensuring that unauthorized access is prevented.
    • All cloud-based digital CUI backups are read-protected and limited to individuals who have a justified need for access.

    4.5 Cryptographic and Physical Security:

    • Cryptographic mechanisms are in place for backup information at designated storage locations.
    • In situations where cryptographic solutions might not be feasible, alternative physical controls are employed to secure backup data.

    4.6 Data Types in Backup:
    Backup data encompasses:

    • System-level information: System state, operating system software, application software, licenses.
    • User-level information: All data other than the system-level information, ensuring comprehensive backup of all necessary data.

    5. Policy Review:
    This SSP will be reviewed annually or as deemed necessary by the organization’s management. Feedback from IT and cybersecurity teams will inform updates to ensure compliance and optimal security.

     

    Example of Plan of Action and Milestones ( POA & M):

    Plan of Action & Milestones (POA&M) for Control 3.8.9

    Title: Protect the Confidentiality of Backup CUI at Storage Locations.

    Milestones and Actions:

    1 Secure Backup Processes:

    • Action: Review and validate all current data backup methods.
    • Status: [Open/In Progress/Closed]
    • Responsible Entity: IT Department
    • Estimated Completion Date: [Insert Date]

    2 Encryption Measures:

    • Action: Audit encryption practices for backup data, both during transit and at rest.
    • Status: [Open/In Progress/Closed]
    • Responsible Entity: Cybersecurity Team
    • Estimated Completion Date: [Insert Date]

    3 Naming Conventions:

    • Action: Conduct a review of current naming conventions and implement changes if necessary.
    • Status: [Open/In Progress/Closed]
    • Responsible Entity: Data Management Team
    • Estimated Completion Date: [Insert Date]

    4 Access Control:

    • Action: Evaluate access controls for all backup data and tighten controls where necessary.
    • Status: [Open/In Progress/Closed]
    • Responsible Entity: Access Control Team
    • Estimated Completion Date: [Insert Date]

    5 Cryptographic and Physical Security:

    • Action: Assess the effectiveness of cryptographic mechanisms and the robustness of physical controls at storage locations.
    • Status: [Open/In Progress/Closed]
    • Responsible Entity: Security Team
    • Estimated Completion Date: [Insert Date]

    6 Data Types in Backup:

    • Action: Verify that all necessary data types (system-level and user-level) are being backed up consistently.
    • Status: [Open/In Progress/Closed]
    • Responsible Entity: IT Department
    • Estimated Completion Date: [Insert Date]

    Progress Monitoring:
    Progress against this POA&M will be reviewed on a [quarterly/monthly] basis. Adjustments to actions, responsibilities, and timelines will be made as necessary based on findings and changes in the environment.

    Sign-off:
    [Responsible Officer’s Name]
    [Responsible Officer’s Title]
    [Date]

    RELEVANT INFORMATION:

    Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.

    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.