Backup Architecture Assessment Scope // 10 MIN READ

CMMC Backups: When Backup Repositories, Replicas, and Recovery Media Become In Scope

Backups Are Systems. Assessors Treat Them That Way.

Backup architecture is one of the most common gray areas in CMMC scoping. Contractors assume that because backups are "just copies," they sit outside the assessment boundary. They do not. Every backup that contains CUI is a system that stores CUI — and every system that stores CUI is in scope.

Why Backups Are Not "Just Copies"

The instinct to exclude backups from CMMC scope comes from a reasonable-sounding premise: a backup is an inert archive. Nobody works in it. Nobody reads from it. It exists only for disaster recovery. It should be outside the assessment boundary because no user interacts with it during normal operations.

That premise is wrong — and the reason it is wrong goes back to the definition of scope itself.

NIST SP 800-171 does not limit scope to systems where users actively work. It applies to any system that stores, processes, or transmits CUI. A backup repository that holds a copy of a CUI database stores CUI. The backup job that writes to it processes CUI. The network path between the source and the repository transmits CUI. All three verbs are satisfied. The backup infrastructure is in scope.

The DoD CIO scoping guidance reinforces this by categorizing assets into several types — CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, and Specialized Assets. A backup server that holds CUI is a CUI Asset. The network switches that carry backup traffic to it may be Specialized Assets. The SIEM that logs backup events generates Security Protection Data. None of these are out of scope by default.

Contractors who exclude backup infrastructure from their SSP do not reduce their assessment boundary. They create an undocumented system that an assessor will discover — and that discovery turns a scoping question into a finding.

Backup Servers, Repositories, Immutable Storage, Offsite Copies, and Tape

Modern backup architectures are not a single server with a hard drive. They are distributed systems with multiple tiers, retention policies, and replication targets — each of which has its own scope implications.

01

Backup Server (Management Console)

The server running the backup software — Veeam, Commvault, Datto, Acronis, or Windows Server Backup. This system orchestrates backup jobs, holds metadata about every protected source, and typically has administrative access to every system it backs up. It is a high-value asset in scope: it processes CUI during every backup job and holds credentials to CUI-containing systems.

02

Primary Backup Repository

The storage target where backup data lands first — a NAS, SAN, local disk, or cloud object store. If the source system contains CUI, this repository stores CUI. The repository must be protected with the same access controls, encryption, and monitoring as any other CUI data store. It is not a lesser class of storage because it holds "copies."

03

Immutable / WORM Storage

Immutable backup tiers — write-once-read-many (WORM) repositories or object lock configurations in cloud storage — are increasingly common for ransomware resilience. Immutability does not change the scope classification. The data is still CUI. The storage system still stores it. The fact that it cannot be modified does not remove it from the assessment boundary. If anything, immutable storage increases the retention period and the duration the CUI remains in scope.

04

Offsite / Cloud Replicas

Backup replication to an offsite location — a secondary data center, a colocation facility, or a cloud provider — extends the scope boundary to that location. If the cloud target is not FedRAMP authorized at the appropriate level, storing CUI backup data there violates DFARS 252.204-7012. If the offsite facility is a managed service, the provider becomes an External Service Provider and is subject to shared responsibility documentation.

05

Tape and Removable Media

Tape backups containing CUI are governed by NIST SP 800-171 Media Protection controls (MP.L2-3.8.1 through 3.8.9). Tapes must be encrypted, physically protected, inventoried, and sanitized when no longer needed. Tapes shipped offsite for storage must be transported securely and tracked. The offsite storage facility — even if it is a third-party vault — is in scope as an ESP if it holds CUI media.

Every tier in the backup architecture that holds CUI is a CUI Asset. The path between tiers is a transmission channel. The systems that manage the tiers are processing nodes. Scope follows the data — not the architecture diagram label.

When Encrypted Backups Still Remain in Scope

This is the most persistent misconception in backup scoping for CMMC: "Our backups are encrypted, so the data is protected, so the backup system is out of scope."

Encryption does not remove a system from scope. Encryption is a control — specifically, it satisfies parts of SC.L2-3.13.8 (transmission confidentiality) and SC.L2-3.13.16 (data at rest confidentiality). But the system that holds the encrypted data is still a system that stores CUI. The encryption protects the confidentiality of the data; it does not change the classification of the system.

Common Argument

"The backup is AES-256 encrypted at rest."

The assessor's response: "Good. That helps satisfy 3.13.16. Now show me the access controls on the repository, the audit logs for the backup server, the key management process, and the account that runs the backup agent. All of those are still in scope."

The Reality

Encryption reduces risk. It does not reduce scope.

The backup server, the repository, the encryption key management system, and the admin accounts are all assessable — regardless of whether the data at rest is encrypted. Encryption is one control among 110. The other 109 still apply to the backup infrastructure.

There is one narrow exception: if CUI is encrypted before it reaches the backup system, using a key that the backup system and its administrators do not possess, and the backup system has no ability to decrypt the data, then the argument for excluding the repository from CUI Asset classification becomes stronger. But this architecture is rare in practice. Most backup solutions encrypt data using keys they manage — which means the backup server can decrypt the data, which means the backup server processes CUI, which means the backup server is in scope.

Ask this question: Can anyone with access to the backup infrastructure — the server, the repository, or the key — restore the CUI to a readable state? If the answer is yes, the backup infrastructure stores CUI and is in scope. The encryption is a control applied to an in-scope system, not a mechanism that moves the system out of scope.

Restore Testing and What Assessors Care About

NIST SP 800-171 control CP.L2-3.8.9 requires organizations to protect the confidentiality of backup CUI at storage locations. But the controls do not stop at storage. Assessors also evaluate whether the organization can actually recover from a backup — and whether the recovery process itself maintains CUI protections.

This matters because a restore operation creates a new copy of CUI. The destination of that restore — the server, workstation, or cloud environment where the data is recovered to — must itself be within the assessment boundary and compliant with CUI handling requirements. Restoring CUI to a non-compliant test server for validation is, technically, a CUI spill.

Step 01

Backup Created

CUI backed up to encrypted repository. Source and target in scope.

Step 02

Restore Executed

Data restored to target system. That target must also be in scope and CUI-hardened.

Step 03

Validation & Cleanup

Restore verified. Test data purged from target if restore was for testing only.

Restore testing to a non-compliant environment creates CUI outside the accreditation boundary. If you test restores, the test environment must either be in scope — with all applicable controls — or the test must use sanitized, non-CUI data. Document which approach you use and how CUI is protected or excluded during the test.

What assessors actually look for in restore testing:

  • Restore test logs — dated evidence that restores have been performed within a documented interval (quarterly or semiannually is typical)
  • Restore destination — documentation showing where the restore was written and that the target system is within the CUI boundary, or evidence that non-CUI test data was used
  • Recovery time — not formally scored under CMMC, but assessors may probe whether backup capabilities meet the organization's stated Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
  • Post-test cleanup — evidence that restored CUI data was purged from the test environment after validation, if the test used actual CUI

Backup Admin Accounts and Shared Responsibility

The accounts that manage backup infrastructure are among the most privileged in any environment — and among the most overlooked in CMMC scoping. A backup admin account typically has read access to every protected system, write access to the repository, and the ability to restore data to any destination. That level of access makes backup admin accounts CUI Assets subject to the full range of Access Control, Identification and Authentication, and Audit and Accountability controls.

Account Type Typical Access Scope Implication
Backup service account Reads data from every protected source; writes to repository; may hold encryption keys Highest privilege — full CUI access
Backup admin (human) Configures jobs, manages retention, initiates restores, accesses management console High privilege — can restore CUI to any target
Repository storage admin Manages the underlying storage (NAS, SAN, cloud bucket) where backup data resides Medium — may access raw backup data at storage level
MSP / ESP backup admin External provider managing backups on your behalf — may have full console access remotely Highest risk — extends scope to the ESP
If your MSP manages backups: They are an External Service Provider with access to CUI. Their systems, their personnel, and their controls are part of your shared responsibility model. You must document the boundary between your responsibilities and theirs, and you must be able to produce evidence of their compliance posture — typically through a Customer Responsibility Matrix or a SOC 2 report scoped to the relevant services.

Backup admin accounts should be subject to the same controls as any other privileged account in the CUI environment: multi-factor authentication, least-privilege access, regular access reviews, and audit logging of every action performed. Service accounts should use managed identities or dedicated credentials that are not shared with human users. If the backup solution uses a domain admin account to run its agents — and many small deployments do — that account's access footprint puts the entire domain inside the assessment boundary.

── SECTION 6: ENCLAVES AND BACKUPS ──

How Backup Design Affects Enclave Claims

Many contractors use an enclave architecture to limit their CMMC assessment scope — segmenting CUI into a tightly defined boundary and keeping the rest of the corporate environment out of scope. Backup architecture is where enclave claims most frequently break down.

The enclave only works if CUI stays inside the enclave. The moment a backup job copies CUI from the enclave to a backup server outside the enclave, the CUI has left the boundary — and the backup server is now in scope. If that backup server also backs up non-CUI corporate systems, those systems may themselves be drawn into the assessment boundary as Contractor Risk Managed Assets, depending on the architecture.

Enclave Preserved

Dedicated Backup Infrastructure

The CUI enclave has its own backup server and repository, physically or logically separated from the corporate backup infrastructure. Backup traffic stays within the enclave. The backup server is documented in the SSP as a CUI Asset within the enclave boundary. The corporate backup system is out of scope.

Enclave Broken

Shared Backup Infrastructure

The CUI enclave backs up to the same Veeam server and repository that backs up corporate laptops, HR servers, and the accounting database. That shared backup server now stores CUI alongside non-CUI data. The backup server is in scope — and every system that the backup server has agent access to may be drawn in as well.

The cleanest enclave design includes backup as a first-class consideration — not as an afterthought. If the enclave's backup target is shared with non-enclave systems, the enclave boundary is effectively meaningless for the purposes of scope reduction. The assessor will trace the data flow from CUI source to backup destination, and if that destination is outside the enclave, the enclave claim fails.

The test: Draw a line around your enclave. Now trace every backup job that runs against a system inside that line. Does the backup data land inside the line or outside it? If any backup data crosses the enclave boundary, either move the backup target inside — or accept that the target and everything connected to it is in scope.

Evidence to Retain for Backup-Related Controls

Backup infrastructure intersects with multiple NIST SP 800-171 control families. The evidence requirements are distributed — there is no single "backup control" to satisfy. An assessor will evaluate backup-related evidence across Access Control, Audit, Media Protection, System and Communications Protection, and System and Information Integrity.

Evidence 01 Backup Policy
Documented backup schedule, retention periods, and scope — which systems are backed up, how often, where the data goes, and how long it is retained. Must align with the SSP boundary description.
Evidence 02 Encryption Config
Backup software configuration showing encryption enabled for all CUI backup jobs — algorithm, key length, and confirmation that FIPS-validated cryptographic modules are in use (SC.L2-3.13.11). Key management documentation.
Evidence 03 Access Controls
Backup server and repository access lists showing which accounts have read, write, and admin access. Evidence of MFA on admin accounts. Evidence of least-privilege configuration for service accounts.
Evidence 04 Audit Logs
Backup job logs showing successful and failed jobs. Restore operation logs. Admin login events on the backup console. Retention of these logs for the documented retention period.
Evidence 05 Restore Test Records
Dated records of restore tests — what was restored, where it was restored to, whether the restore succeeded, and how test data was purged afterward. Frequency should match the documented policy.
Evidence 06 Media Protection
For tape or removable media: inventory of all CUI-containing media, storage location, transport logs, sanitization records for retired media (MP.L2-3.8.1 through 3.8.9). For cloud repositories: FedRAMP authorization evidence for the cloud target.
Evidence 07 ESP Documentation
If backups are managed or hosted by an External Service Provider: the shared responsibility matrix, the provider's FedRAMP status or equivalent, and evidence of the provider's compliance with applicable NIST 800-171 controls.
The most common gap: The contractor has backups running reliably but cannot produce a single document describing the backup architecture, the encryption configuration, or the access control model. The backup "just works" — and no one has documented it for the SSP. An assessor cannot score a control as Met based on a system that works but is not documented.

The Bottom Line

Backup infrastructure is not a supporting system that sits quietly outside the assessment boundary. It is a CUI-storing, CUI-processing, CUI-transmitting system that is subject to the same 110 controls as any server, workstation, or cloud service in your environment. The backup server, the repository, the offsite replica, the tape in the vault, the admin account that manages all of it, and the MSP that runs it — all assessable.

Excluding backups from scope does not reduce the assessment boundary. It creates an undocumented system that an assessor will find — and a finding that could have been avoided by treating backup architecture as what it is: a first-class component of your compliance posture.

If your backup system has access to CUI, it is part of your CMMC boundary. Document it in your SSP. Encrypt it with FIPS-validated modules. Restrict access to it with the same rigor you apply to production systems. And when the assessor asks about your backup architecture — because they will — have the evidence ready.

Related Articles

Offsite Backup Storage for CUI: FedRAMP and EncryptionCMMC Level 2 Assessment Scope ExplainedCMMC Enclaves: Scope Reduction with SegmentationSecurity Protection Data (SPD): Why Logs Expand Your ScopeShared Responsibility: What Your MSP Must Prove