CMMC Compliant Backup Solutions: What Actually Qualifies for CUI

Q: What is a CMMC compliant backup solution?

It is better understood as a backup architecture that supports your CMMC requirements, not a product with a certification. It must protect backup CUI, fit your assessment scope, satisfy FedRAMP and ESP obligations where they apply, and produce verifiable evidence. CMMC certifies organizations under 32 CFR Part 170, not backup tools.

Q: Is FedRAMP High required for CMMC backup?

Not by the Level 2 rule language -- the cited cloud requirement is FedRAMP Moderate or higher, or equivalent. A specific contract, agency, data type, or chosen provider may drive a higher requirement. For reference, GCC High, Azure Government, and AWS GovCloud are FedRAMP High.

Q: Can we use Veeam for CMMC?

Potentially, yes -- Veeam-style self-hosted software can support a CMMC architecture when the repositories, cloud targets, admin access, encryption, logs, restore tests, and provider roles are scoped and documented. The product is one part; the destination and the controls around it decide compliance.

By The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance · Last verified: June 12, 2026

This is editorial analysis, not legal, contractual, or compliance advice.

Let’s save you a weekend. CMMC compliant backup solutionsare one of the most mis-sold things in the defense industrial base. Somewhere right now, a vendor is calling their backup product “CMMC compliant.” It isn’t — it can’t be — because Cybersecurity Maturity Model Certification (CMMC) certifies organizations, not tools. Buy on that promise without checking a few specific things and you can park Controlled Unclassified Information (CUI) in a backup that fails CMMC’s cloud-storage requirement, fails the FIPS encryption standard, or silently drags your whole network into scope. This guide gives you the controls, the verification gates, and the questions that separate a real CUI-capable backup from a re-skinned commercial product.

The fast answer

There is no such thing as a “CMMC certified” or “CMMC compliant” backup product. CMMC certifies your organization, not a tool. For CMMC Level 2, a backup is compliant in practice when backup CUI is protected under MP.L2-3.8.9 / NIST SP 800-171 Rev. 2 requirement 3.8.9— “protect the confidentiality of backup CUI at storage locations” — with FIPS-validated cryptography when encryption is what protects that confidentiality, plus controlled access. The answer then turns on where the backup data lands: on-premises inside your assessed boundary, or in a cloud that meets the FedRAMP Moderate baseline DFARS 252.204-7012 requires for external cloud services holding covered defense information.

So the right “CMMC compliant backup solution” isn’t a logo. It’s an architecture you can document and defend.

Which situation are you in?

Your situation	Best starting point	What not to assume
Backup of CUI goes to a cloud service	A FedRAMP Authorized (or DoD-recognized equivalent) cloud, with a Customer Responsibility Matrix mapped into your SSP	"Cloud backup" or "government-ready" equals CMMC-ready
Backup of CUI stays on-premises	An in-scope, hardened repository with controlled access, encryption (FIPS-validated where it protects CUI), logging, and tested restores	On-prem backup is automatically out of scope
An MSP runs your backups	Treat the MSP as an External Service Provider; document the role and the CRM	The MSP's backup is invisible because "they're just IT"
You rotate external drives or tape	Media ownership, physical security, FIPS-validated encryption, transport logs, sanitization	Encrypted drives are automatically de-scoped
You rely on Microsoft 365 retention	A separate, real backup — retention and legal hold are not a backup	Retention/eDiscovery is the same as a backup
Your backup holds no CUI and protects nothing in scope	A documented, defensible reason it's out of scope	"No CUI" without a data-flow diagram to prove it

What we actually verified for this guide (as of June 12, 2026)

CMMC Level 2 maps to NIST SP 800-171 Revision 2 — confirmed in 32 CFR Part 170 (eCFR).
NIST SP 800-171 Rev. 2, 3.8.9 (confidentiality of backup CUI), 3.13.16 (CUI at rest), and 3.13.11 (FIPS-validated cryptography) — confirmed on NIST CSRC.
DFARS 252.204-7012(b)(2)(ii)(D) cloud clause text — confirmed on Acquisition.gov.
DoD CIO FedRAMP Moderate Equivalency memo, dated December 21, 2023 — confirmed.
The DoD CMMC FAQ answer that a non-FedRAMP-Moderate cloud cannot store encrypted CUI — confirmed.
CMMC Final Rule (32 CFR Part 170) effective December 16, 2024; DFARS acquisition rule effective November 10, 2025; Phase 1 runs Nov 10, 2025 – Nov 9, 2026 — confirmed.
Six-year assessment-artifact retention — confirmed in 32 CFR Part 170, Subpart D.
FedRAMP impact levels for named offerings — confirmed on the FedRAMP Marketplace and providers' authorization announcements. Status changes; re-verify before you buy.

What “CMMC compliant backup solutions” really means (and why no product is certified)

A “CMMC compliant backup solution” is not a product you can buy with a certification stamp. CMMC assesses how an organization implements a defined set of security requirements inside a defined boundary. A backup tool can support that implementation; it cannot certify your company. Any “Top 10 CMMC Compliant Backup Products” list is using sloppy shorthand at best — and steering you toward risk at worst.

Here’s the honest part, and we’ll say it plainly because most pages won’t: the phrase you searched is technically wrong, and it trips up sharp people every week. A backup product has no CMMC certificate. There is no “CMMC Authorized” badge for software. The Cyber AB — the accreditation body that oversees the CMMC ecosystem — certifies organizations through assessments. It does not bless backup tools.

Now the freeing part: you are not at the mercy of a vendor’s marketing. You’re measuring any solution against a fixed, public federal standard. Once you know what that standard actually asks for — and you’re about to — you can walk into any vendor call and ask the four questions that separate a real CUI-capable backup from a re-skinned commercial product.

What “supports CMMC” shouldmean in a vendor’s mouth

When a backup vendor or managed service provider (MSP) says they “support CMMC,” translate it into something verifiable. A defensible claim means the solution:

Protects the confidentiality of backup CUI (the actual requirement, 3.8.9).
Uses FIPS 140-2 or 140-3 validated cryptography when encryption protects CUI — with a certificate number, not the word "FIPS-compliant."
Lands your backup CUI somewhere CMMC and DFARS allow (a FedRAMP Authorized or equivalent cloud, or your own controlled boundary).
Comes with a Customer Responsibility Matrix (CRM) — the document that spells out who is responsible for which control.
Produces evidence: access logs, restore-test records, configuration proof.
Never promises "guaranteed CMMC certification." No tool can deliver that.

Does CMMC actually require you to back up your data?

Here’s what surprises almost everyone: NIST SP 800-171 Rev. 2 contains no requirement to perform or test backups. It is a confidentiality standard. Its only backup-specific requirement, 3.8.9, says that if you keep backups containing CUI, you must protect their confidentiality. The current CMMC Level 2 rule aligns Level 2 to NIST SP 800-171 Rev. 2, and the 110 requirements do not include a scored requirement to run or test backups.

NIST built SP 800-171 to protect the confidentiality of CUI, not its availability. NIST reached into the backup control, took out only the confidentiality piece (derived from NIST SP 800-53 control CP-9), and left the rest of the backup-availability requirements in the 800-53 family for other frameworks. What that means for you:

You won’t be scored on having a backup schedule or a tested recovery planunder Level 2’s 110 requirements.
You will be scored on protecting any backup CUI that exists— encrypted with validated cryptography, access-controlled, stored somewhere defensible, and logged.

So why does every serious contractor still need backups?

Because “not a scored 800-171 control” is a long way from “optional.” Three forces make real, tested backups effectively mandatory:

1. DFARS 252.204-7012 demands incident preservation

When you report a cyber incident, the clause requires you to preserve and protect images of affected systems and relevant monitoring data for at least 90 days from the report. You can't preserve what you never captured.

2. Ransomware doesn't care about your control mapping

A contractor who loses a year of engineering data to encryption malware loses the contract too. Recoverability is survival.

3. Assessors expect maturity

A C3PAO will expect a competent organization to protect its own data, and your backup design is part of how you prove control over CUI.

Bottom line: the rule tells you to protect backup CUI’s confidentiality. Your contract’s incident-reporting clause and basic survivability tell you to actually have backups and test them. Do both.

Which NIST SP 800-171 controls actually govern your backups?

A backup that holds CUI is touched by a cluster of NIST SP 800-171 Rev. 2 requirements — led by 3.13.16 (confidentiality of CUI at rest) and its backup-specific extension 3.8.9, plus 3.13.11 (FIPS-validated cryptography), media-protection requirements (3.8.1, 3.8.2, 3.8.3, 3.8.6), transmission encryption (3.13.8), access control (3.1.1, 3.1.2), and audit logging (3.3.1, 3.3.2). An assessor will expect evidence for each as it applies to your backup environment.

The CUI backup control map

Control (NIST 800-171 Rev. 2 / CMMC ID)	What it requires	What “good” looks like for backups
3.13.16 / SC.L2-3.13.16	Protect the confidentiality of CUI at rest	Backup data at rest is encrypted or otherwise protected from disclosure
3.8.9 / MP.L2-3.8.9	Protect the confidentiality of backup CUI at storage locations	Every backup copy — local, cloud, offsite — is encrypted (FIPS-validated) or physically controlled
3.13.11 / SC.L2-3.13.11	Use FIPS-validated cryptography to protect CUI confidentiality	The backup encryption module carries a CMVP certificate, not just "AES-256" marketing
3.13.8 / SC.L2-3.13.8	Encrypt CUI in transit	TLS/IPsec on replication and cloud-upload paths
3.8.6 / MP.L2-3.8.6	Encrypt CUI on digital media during transport	Backup tapes/drives leaving a controlled area are encrypted
3.8.1 / MP.L2-3.8.1	Physically control and securely store CUI media	Backup media kept in access-limited, controlled locations
3.8.2 / MP.L2-3.8.2	Limit access to CUI on media to authorized users	Role-based access on backup consoles and repositories
3.8.3 / MP.L2-3.8.3	Sanitize or destroy media before disposal or reuse	A documented process for retiring old backup media
3.1.1 / 3.1.2 / AC.L2	Limit system access to authorized users and functions	Least-privilege backup-admin accounts; separation of duties
3.3.1 / 3.3.2 / AU.L2	Create, protect, and retain audit logs; trace actions to users	Backup and restore actions are logged and attributable to a person

Source basis: NIST SP 800-171 Rev. 2 requirements 3.8.1–3.8.9, 3.13.8, 3.13.11, 3.13.16, 3.1.1–3.1.2, and 3.3.1–3.3.2; CMMC Level 2 maps to NIST SP 800-171 Rev. 2 under 32 CFR Part 170. This is The Defense Compliance Report’s editorial mapping. Confirm final scope with your assessor or Registered Provider Organization (RPO).

What the rule says vs. what you have to prove

What the rule says	Where it comes from	What you must actually show	Common failure
Protect the confidentiality of backup CUI	NIST 3.8.9	Encryption (or physical control) on every backup copy, plus where each copy lives	Encrypting production data but leaving snapshots or an offsite copy exposed
Use FIPS-validated cryptography when crypto protects CUI	NIST 3.13.11	A CMVP certificate and proof the validated module is enabled in your configuration	"AES-256" or "FIPS-compliant" with no validation certificate
External cloud storing CUI must meet FedRAMP Moderate or equivalency	DFARS 252.204-7012(b)(2)(ii)(D)	The exact offering's Marketplace status (or a 3PAO-assessed equivalency package) plus the CRM	Assuming a commercial cloud, SOC 2, or ISO 27001 satisfies it
Document and assess external service providers	32 CFR 170.19	The provider's service description and CRM, referenced in your SSP	Treating MSP-run backup as out of sight, out of scope
Preserve incident images ≥ 90 days	DFARS 252.204-7012(c)–(g)	A process that can capture and protect affected-system images	No way to preserve forensic images after an incident
Retain assessment artifacts six years	32 CFR Part 170, Subpart D	Final evidence kept six years from the CMMC Status Date	Discarding evidence after the assessment

Where can backup CUI actually live? (the real decision)

The product logo doesn’t determine compliance — the resting place of your backup CUI does. Your realistic options are: Microsoft 365 native backup inside a government boundary, a third-party backup service (defensible only if its government edition is FedRAMP Authorized), a third-party tool writing to your own Azure Government or AWS GovCloud storage, infrastructure-native backup in those government clouds, an on-premises repository inside your assessed boundary, or a CUI enclave that can narrow your scope. Each model has a different “control owner” and a different way to fail.

Where does the backup data land?

Backup model	Where CUI backup lands	Typical CUI fit	What to verify	Common mistake	Best for
M365 native retention / legal hold	Inside your Microsoft 365 tenant	Not a backup	N/A	Treating retention as a backup	Nobody — it's a supplement, not a backup
Microsoft 365 Backup (native add-on)	Microsoft's cloud boundary (incl. government tenants)	Potential fit inside a government tenant	The exact edition is available for your tenant, which workloads it covers, and its boundary	Assuming the commercial-tenant version is CUI-eligible	Teams already on Microsoft Government cloud
3rd-party backup in vendor's cloud (e.g., Commvault, Druva, Rubrik–Government)	The vendor's cloud	Defensible only if that cloud is FedRAMP Authorized/equivalent	The exact offering + impact level on the FedRAMP Marketplace; the CRM	Buying the commercial edition by mistake	Teams wanting managed backup with a real government edition
3rd-party tool → your GovCloud storage (e.g., Veeam → Azure Government / AWS GovCloud)	Your Azure Government / AWS GovCloud tenant	Strong control	That the tool lands every copy in the government region — and the keys, logs, and admin paths are yours	A copy quietly syncing to a commercial region	Teams wanting maximum control over where data lands
Infrastructure-native backup (Azure Backup in Azure Government; AWS Backup in GovCloud)	Your government-cloud tenant	Fits for servers/VMs holding CUI	Configuration inside the assessed boundary; FIPS endpoints	Backing up government workloads to a commercial subscription	Server- and IaaS-centric CUI environments
On-premises / self-hosted (e.g., Veeam on hardware in your facility)	Inside your physically controlled, assessed boundary	Fits if controls are implemented	That you own all controls — encryption, access, physical, sanitization	An "offsite copy" feature silently shipping to a commercial cloud	On-prem enclaves and air-gapped needs
CUI enclave with built-in protection	The enclave provider's authorized environment	Fits — and can shrink your scope	Authorization/equivalency, and how backup/retention behaves in the enclave	Assuming the enclave covers endpoints/servers outside it	Small and mid-size DIB minimizing scope and effort

Vendor and product names are factual examples of deployment models, not endorsements. Authorization status changes — verify each offering on the FedRAMP Marketplace.

Read the table by who you are

Small subcontractor, a handful of CUI users: A CUI enclave plus managed backup, or a FedRAMP-authorized backup SaaS, keeps your scope small and your operational burden lower.

Engineering or manufacturing shop with on-prem CAD/PDM servers: Self-hosted backup to an in-scope repository, or to government-cloud object storage, usually fits your existing infrastructure — if you document the path.

MSP-managed contractor: The architecture matters less than the paperwork; your provider's role has to be documented.

Cloud-first government-tenant shop: You still need a real backup, not just retention. Decide deliberately how backup, restore, and retention are scoped.

Deciding between GCC High, Azure Government, and AWS GovCloud for where your CUI and its backups should live? See our GCC High for CMMC guide for a deep comparison.

When does a cloud backup need FedRAMP — and what does “equivalent” really mean?

When an external cloud service stores, processes, or transmits your backup CUI, DFARS 252.204-7012(b)(2)(ii)(D) requires that cloud to meet security requirements equivalent to the FedRAMP Moderate baseline and to comply with the clause’s incident-handling duties (paragraphs c through g). Per the DoD CIO memo of December 21, 2023, “equivalency” is not a vendor self-attestation — it requires a body of evidence for the cloud offering that is validated by a FedRAMP-recognized 3PAO and reviewed during your CMMC assessment.

Those incident-handling duties include reporting a cyber incident to DoD within 72 hours and preserving affected-system images for at least 90 days.

“FedRAMP Authorized” vs. “FedRAMP Moderate Equivalent” — the distinction vendors blur

FedRAMP Authorized

The specific cloud service offering went through the FedRAMP process and is listed on the FedRAMP Marketplace. Confirm the exact offering name, status, impact level (Moderate or High), boundary, and whether your purchased edition sits inside that authorization.

FedRAMP Moderate Equivalent

The accommodation the DoD CIO memo defined: the provider implements 100% of FedRAMP Moderate controls and proves it through a 3PAO-validated body of evidence. It is nota self-claim, and “we’re FedRAMP equivalent” with nothing behind it doesn’t meet the bar. The major government clouds clear this with room to spare — AWS GovCloud (US) and Microsoft Azure Government hold FedRAMP High authorizations, which exceed Moderate. GCC High is FedRAMP High Authorized; regular GCC is FedRAMP Moderate Authorized.

The myth that quietly fails assessments: SOC 2 and ISO 27001 are not FedRAMP Moderate

A vendor waving a SOC 2 Type II report or an ISO 27001 certificate is showing you a real attestation — but neither satisfies the FedRAMP Moderate requirement for a cloud storing CUI. They’re different frameworks with different scopes. And commercial Microsoft 365 is not compliant for CUI environments because it isn’t FedRAMP-authorized for that purpose. Consumer backup tools and general-purpose commercial backup clouds fall in the same bucket: don’t assume — verify the exact offering, status, boundary, and edition before storing backup CUI there. If backup CUI is sitting in a commercial cloud today without verified FedRAMP Moderate status or a DoD-recognized equivalency package, that’s the gap to close first.

A verified snapshot of FedRAMP-authorized data-protection offerings

FedRAMP status confirmed on the FedRAMP Marketplace and providers’ authorization announcements as of June 12, 2026. This is not a ranking, not an endorsement, and not proof that any product makes your company compliant. It’s a starting shortlist to verify. We have no compensation relationship with any offering listed here.

Offering	FedRAMP status (verify current)	Backup relevance	What this does not prove
Commvault Cloud for Government (Commvault Systems)	FedRAMP High Authorized	Enterprise data protection / cyber recovery	That your configuration, scope, or purchased edition is compliant
Druva (GovCloud / Data Resiliency Cloud) (Druva)	FedRAMP Moderate Authorized	Data resiliency / backup SaaS (M365, endpoints, data center)	Same — verify your workloads and boundary
Rubrik Security Cloud – Government (Rubrik)	FedRAMP Moderate Authorized	Backup and data security platform	Same — verify your workload sits inside the authorized boundary
Microsoft 365 GCC (Microsoft)	FedRAMP Moderate Authorized	An environment where CUI may live — not, by itself, a backup	That retention equals backup, or that GCC fits export-controlled CUI
Microsoft 365 GCC High (Microsoft)	FedRAMP High Authorized	An environment for ITAR/CUI — not, by itself, a backup	Same — you still decide and document the backup path

How to verify any cloud backup vendor in three minutes: search the FedRAMP Marketplace for the exact offering name; confirm it’s authorized(not “in process” or “ready”) and at what impact level; confirm your purchased edition is inside that same authorization boundary; then get the provider’s CRM and a written commitment to the DFARS 7012 (c)–(g) incident-handling duties. If any of those four come back fuzzy, slow down.

Can you store encrypted CUI backups in a non-FedRAMP cloud?

This matters because encryption is the loophole everyone reaches for: “It’s encrypted, so the cloud doesn’t really hold CUI, right?” DoD closed that door. Encrypting backup CUI is necessary, but it does not move your provider out of the FedRAMP requirement.

There is one legitimate architecture that keeps CUI out of a non-authorized environment entirely: tokenizing or encrypting CUIbeforeit ever reaches a non-authorized service, so only non-sensitive tokens live there while the real CUI stays in a FedRAMP-authorized or on-premises system under your own key control. That’s a deliberate, documented design — not a shortcut around the rule. If your plan depends on it, build it on purpose and write it into your SSP. Otherwise, the simpler path is to put backup CUI in a FedRAMP-authorized (or equivalent) destination from the start.

The CSP-vs-ESP question that quietly expands your scope

When someone else operates your backup, CMMC scoping hinges on two questions from 32 CFR Part 170: Is that provider a Cloud Service Provider (CSP)? And does it process, store, or transmit CUI or Security Protection Data? A CSP storing your CUI must meet the FedRAMP Moderate requirement. A non-CSP External Service Provider (ESP) — say, an MSP administering your backup — does not need its own CMMC certification, but its in-scope services are assessed within your assessment, and the relationship must be documented in your SSP with a Customer Responsibility Matrix.

If your backup CUI lands in a cloud the provider operates and that cloud stores CUI, that cloud is a CSP — and the FedRAMP Moderate (authorized or equivalent) requirement attaches to it.

If your MSP simply administers a backup that holds CUI but isn’t itself the cloud storing it, the MSP is a non-CSP ESP. The rule lets you use it, provided the relationship and services are documented in your SSP and the CRM, and the ESP’s in-scope services are assessed within your assessment against the Level 2 requirements.

If you are the cloud tenant and the MSP only administers the environment, the MSP isn’t a CSP. If the MSP actually provides and operates the cloud service that holds your CUI, it may be treated as a CSP — and then the FedRAMP requirement attaches.

The final rule clarified — a real change from the earlier proposed rule — that an ESP does not need its own CMMC assessment. An MSP maychoose to get certified to streamline things, but it’s not required. The catch: if your ESP isn’t certified, its in-scope assets get reviewed inside your C3PAO assessment, which can add time and friction.

Are your backups in scope for the assessment?

Almost always, yes. Under 32 CFR 170.19 and the DoD CIO’s CMMC Level 2 Scoping Guide, a backup that stores CUI is a CUI Asset — assessed against the Level 2 requirements. Backup or management tooling that protects CUI systems without holding CUI is a Security Protection Asset, still in scope for its protective function. Only a backup that neither stores CUI nor protects CUI assets, and is physically or logically separated, can be treated as out of scope — and you still have to justify it.

The five Level 2 asset categories come from 32 CFR 170.19(c)(1), Table 3:

Backup situation	Asset category	Assessment consequence
Backup stores CUI (most backups of CUI systems)	CUI Asset	Assessed against all 110 requirements, evaluated using the NIST SP 800-171A objectives
Backup or management tooling protects CUI systems but holds no CUI	Security Protection Asset	In scope; assessed against the requirements relevant to its protective function
Backup environment that does not store CUI, does not protect CUI assets, and is physically or logically separated	Out-of-Scope Asset	Not assessed — but you must justify the separation in your SSP and diagram

Don’t under-scope to save money

Calling a backup “out of scope” without a data-flow diagram that proves it is one of the fastest ways to fail an assessment. The Scoping Guide is clear that an asset in any in-scope category cannot be quietly reclassified as out of scope, and an assessor can challenge a boundary that leaves obvious gaps.

Plan for the long haul

Your assessment artifacts — including backup control evidence — must be retained for six years from the CMMC Status Dateunder 32 CFR Part 170. For self-assessed systems, DFARS 252.204-7021 requires posting current self-assessment results in SPRS and completing annual affirmations. Backup compliance isn’t a one-time assessment-prep stunt; it’s a posture you maintain and re-affirm.

So what actually makes a backup solution “CMMC-ready”? The five verification gates

A backup solution is defensible for backup CUI when it clears the gates that apply to your contract, CUI category, and assessment scope: (1) data location and access constraints; (2) FedRAMP Authorized or 3PAO-assessed equivalent storage, if it’s a cloud; (3) FIPS-validated encryption with clear key custody; (4) least-privilege access, attributable audit logs, and a provider willing to meet the DFARS 7012 incident-handling duties; (5) ransomware resilience and tested recovery. Miss one that applies to you and the marketing doesn’t matter.

Gate 1 — Data location and access constraints

Does the backup data's location, every replica path, and the administrator/support model line up with your contract, your CUI category, your export-control obligations, and the FedRAMP boundary you're relying on? U.S. data residency and U.S.-person-only administration aren't a blanket CMMC rule — but they're commonly required by your contract and by the FedRAMP authorization boundary, and they're mandatory for export-controlled CUI such as ITAR or EAR data. Map every copy, including disaster-recovery replicas. One stray offshore copy can create export-control, FedRAMP-boundary, and assessment-scope problems.

Gate 2 — FedRAMP posture (if it's a cloud)

Is the storage FedRAMP Authorized (look it up on the Marketplace) or FedRAMP Moderate Equivalent with a 3PAO-validated body of evidence per the December 2023 DoD memo? Remember: GCC High, Azure Government, and AWS GovCloud carry FedRAMP High.

Gate 3 — FIPS-validated encryption and key custody

When encryption is what protects backup CUI, is it performed by a FIPS 140-2/140-3 validated module — with a CMVP certificate number you can check? And who holds the keys, you or the vendor? Customer-held keys reduce your exposure and your scope headaches.

Gate 4 — Access, logging, and the DFARS duties

Least-privilege backup admins, audit logs that tie actions to named people, and a provider that will contractually meet the DFARS 7012 (c)–(g) obligations — usually captured in the CRM and your agreement.

Gate 5 — Ransomware resilience and tested recovery

Immutability or an air gap, and restores you've actually tested. Not a scored 800-171 requirement, as we covered — but your incident-reporting clause and basic survivability make it non-negotiable in practice.

Score your own backup against the five gates

Reading five gates is one thing; knowing where youstand is another. Take ten minutes and run your real setup through them: name where your CUI lives, where each backup copy lands, whether that storage is FedRAMP Authorized (look it up), whether your encryption is FIPS-validated, who holds the keys, and who can administer the console. Any gate you can’t answer cleanly is your next work item — and a far cheaper one to fix now than after a finding.

Use the Readiness Checklist →Get Matched with Provider Options →

If you’re the exception — you already run a FedRAMP-authorized environment and you just need configuration help — you may not need us at all. Take this to your existing MSP. We’d rather lose you to a faster path than route you somewhere you don’t need to go. But if you’re starting from commercial Microsoft 365 or a consumer backup, this is exactly the moment to get matched.

“Can we just use Veeam, Synology, external drives, Acronis, Datto, or Microsoft 365?”

The product name is never the answer. For CMMC, what decides it is where backup CUI is stored, who can access or decrypt it, whether a cloud target stores CUI, whether encryption and media controls are evidenced, and whether the whole path is documented in your scope. Here’s the honest read on the tools people ask about most.

Veeam (and similar self-hosted backup software)

Often a strong building block — if the repositories, cloud targets, admin access, encryption, logs, and restore evidence are properly scoped and documented. The question isn't "Is Veeam CMMC compliant?" It's "Where does Veeam send the backup CUI, and can we prove the controls around that destination?" Veeam writing to AWS GovCloud or Azure Government object storage that you control can be a clean, defensible pattern — when every repository, replica, key, admin path, and log source is scoped. One verifiable wrinkle: per Veeam's documentation, Teams chat backup isn't supported in the US Government DoD and GCC High regions, a reminder that feature parity differs in government clouds.

Synology or an offsite NAS

Possible when it's in scope, access-controlled, physically secured, encrypted with validated cryptography, documented, and restore-tested. It gets weak fast when an owner can't prove media control, FIPS configuration, transport protections, or that anyone has ever tested a restore.

Rotating external drives or tape

Workable for small environments with disciplined media handling. Expect to prove media ownership, controlled storage, FIPS-validated encryption (or physical safeguards), a transport process, sanitization at end of life, and restore tests. The failure mode is human: a lost drive with no owner and no log.

Acronis, Datto, or another SMB cloud backup

Only after you verify the exact cloud service offering, its FedRAMP status where CUI is stored, admin access, the CRM, encryption proof, and evidence export. Don't assume a general commercial backup cloud is suitable for CUI — most SMB-default editions aren't.

Microsoft 365 retention

Not a backup. Retention, legal hold, the recycle bin, and version history serve records and eDiscovery — they won't reliably recover from corruption, ransomware, or admin error. Under Microsoft's shared-responsibility model, keeping the service running is Microsoft's job; protecting and being able to restore your data is yours. If CUI lives in Microsoft 365 or GCC High, decide separately how backup, restore, and retention are handled and evidenced.

AWS GovCloud or Azure Government object storage

Potentially excellent — but the cloud isn't the whole answer. Verify the specific services, your encryption and key configuration, the access model, and whether the backup application or MSP adds its own CSP/ESP scope on top.

What evidence will a C3PAO actually want for your backups?

Backup evidence should prove four things: where backup CUI is stored, who can access it, how its confidentiality is protected, and whether your restores actually work. For Level 2 certification assessments, those artifacts must be retained for six years from the CMMC Status Date. Vague policy documents and aspirational diagrams won’t carry you — assessors want evidence that’s implemented, current, and repeatable.

Evidence item	Why it matters	Refresh cadence
CUI data-flow map including the backup path	Proves where CUI moves and rests (scoping, 3.8.9)	Quarterly or after any change
Backup asset inventory	Shows repositories, consoles, storage targets, media	Monthly / quarterly
SSP backup section	Documents how backup assets and controls are handled	After any change
Network diagram with the backup path labeled	Lets the assessor understand scope	After any network/storage change
Customer Responsibility Matrix (CRM)	Splits responsibility between you and the provider	At purchase and annually
FedRAMP Marketplace confirmation for the exact offering	Shows current authorization status and impact level	Before purchase and quarterly
FIPS validation and configuration proof	Supports 3.13.11 where crypto protects CUI	At implementation and after upgrades
Backup job logs + restore-test logs	Shows operation history and real recoverability	Monthly pull; quarterly restore tests
Access review for the backup console/repositories	Shows who can touch backup data (3.1.x, 3.8.2)	Monthly / quarterly
Immutability / offline-copy evidence	Supports ransomware resilience	Quarterly

A vendor questionnaire that asks for evidence, not adjectives

Before you sign with any backup vendor or MSP, make them answer in specifics: the exact legal entity and product offering; the cloud service offering name and its FedRAMP Marketplace status and impact level; whether the service processes, stores, or transmits CUI or Security Protection Data; the CRM; FIPS validation and key-custody model; the admin-access and multi-factor model; logging and evidence-export capabilities; data residency; immutability and restore-test process; subprocessors; and data return or destruction at termination.

What does compliant CUI backup cost?

Treat any single price with caution, because cost tracks where the data lands more than which logo you pick. As a reference point to verify at purchase: Microsoft’s native Microsoft 365 Backup lists at $0.15 per gigabyte per month of protected content. Third-party backup is typically priced per user per month and runs higher than native, but the figure swings widely by provider, retention period, workload coverage, and whether you need a government edition. The bigger budget driver is almost always the environment — GCC High, GovCloud, or an enclave — not the backup line item itself.

Treat any public per-user number as directional until you have a scoped quote. The honest cost drivers:

How many CUI sources you have: More systems to back up and document.
Cloud vs. on-prem target: A cloud holding CUI adds FedRAMP verification and CRM work.
MSP involvement: ESP documentation and evidence hand-off.
Encryption and key complexity: FIPS proof and key-management procedures.
Restore-testing maturity: The evidence process and operational discipline behind it.
Legacy systems: Older agents, repositories, and restore paths cost more to cover.
C3PAO timing: Late scope changes discovered near an assessment are the most expensive of all.

That last one is the whole argument for doing this in the right order. The expensive mistake isn’t choosing a slightly pricier backup. It’s buying a “compliant” backup that lands CUI in a commercial cloud, passing your own gut-check, then re-architecting the whole thing after an assessor flags it — on the assessor’s clock, not yours.

Frequently asked questions about CMMC compliant backup solutions

What is a CMMC compliant backup solution?

It's better understood as a backup architecture that supports your CMMC requirements, not a product with a certification. It must protect backup CUI, fit your assessment scope, satisfy FedRAMP and ESP obligations where they apply, and produce verifiable evidence. CMMC certifies organizations under 32 CFR Part 170 — not backup tools.

Does CMMC require backups?

For Level 2, NIST SP 800-171 Rev. 2 includes requirement 3.8.9 — protect the confidentiality of backup CUI at storage locations. It does not require you to perform or test backups; that capability is operationally essential but is not itself a scored Level 2 requirement.

Does CMMC require tested restores?

No scored Level 2 requirement mandates a backup schedule or restore testing. But tested restores are how you prove recoverability after ransomware and how you meet the DFARS 252.204-7012 obligation to preserve incident images, so most assessors and mature programs treat them as essential in practice.

What is MP.L2-3.8.9?

MP.L2-3.8.9 is the CMMC Level 2 identifier for NIST SP 800-171 requirement 3.8.9: protect the confidentiality of backup CUI at storage locations. CMMC Level 2's 110 requirements are drawn from NIST SP 800-171 Rev. 2.

Do cloud backups need to be FedRAMP authorized for CUI?

A cloud service that stores, processes, or transmits CUI must meet security requirements equivalent to the FedRAMP Moderate baseline under DFARS 252.204-7012, and comply with that clause's incident-handling duties. Per the DoD CIO memo of December 21, 2023, "equivalent" means 100% of FedRAMP Moderate controls in a 3PAO-validated body of evidence. Verify the exact offering and impact level on the FedRAMP Marketplace.

Can you store encrypted CUI backups in a non-FedRAMP cloud?

No. The DoD's CMMC FAQ states that a non-FedRAMP-Moderate cloud cannot store encrypted CUI; the contractor must still ensure the provider meets FedRAMP Moderate or equivalency requirements. CUI remains CUI until formally decontrolled, even when encrypted.

Is FedRAMP High required for CMMC backup?

Not by the Level 2 rule language — the cited cloud requirement is FedRAMP Moderate or higher, or equivalent. A specific contract, agency, data type, or chosen provider may drive a higher requirement. (For reference, GCC High, Azure Government, and AWS GovCloud are FedRAMP High.)

Is encrypted backup data still CUI?

For CMMC planning, treat backup sets that contain CUI as in-scope backup CUI even when encrypted, unless your contract, legal counsel, or scoping authority tells you otherwise. NIST treats cryptography as a way to protect backup CUI confidentiality under 3.8.9, not as a mechanism that removes it from scope.

Do CMMC backups need FIPS-validated encryption?

If cryptography is used to protect the confidentiality of CUI, NIST SP 800-171 requirement 3.13.11 requires FIPS-validated cryptography. Ask the vendor for the CMVP certificate and proof the validated module is enabled in your configuration — "FIPS-compliant" is not the same as "FIPS-validated."

Can we use Veeam for CMMC?

Potentially, yes — Veeam-style self-hosted software can support a CMMC architecture when the repositories, cloud targets, admin access, encryption, logs, restore tests, and provider roles are scoped and documented. The product is one part; the destination and the controls around it decide compliance.

Can we use a Synology NAS or external drives?

Both are possible for smaller environments when properly scoped, access-controlled, encrypted or physically secured, documented, and restore-tested. The common failure is treating an offsite NAS or a stack of drives as out of scope without proving why.

Is Microsoft 365 retention the same as a backup?

No. Retention and legal hold are built for compliance and eDiscovery, not recovery, and under Microsoft's shared-responsibility model, protecting and restoring your data is your responsibility. If CUI lives there, you still need a separate, real backup decision.

Does the backup provider need to be a C3PAO?

No. A backup provider isn't a C3PAO unless it's separately authorized to conduct CMMC assessments. Backup providers, MSPs, and cloud providers support implementation or operations; C3PAOs conduct the certification assessment — and readiness help and formal assessment must stay appropriately separated.

Should a C3PAO help us pick our backup solution?

Be careful here. Under the Cyber AB's assessment process and accreditation requirements, a C3PAO cannot provide consulting, implementation, or advisory services to an organization it assesses, and it manages conflicts of interest strictly. Use a readiness provider, RPO, or MSP for implementation help; engage a C3PAO for the formal assessment when you're ready.

Are backups in scope for a CMMC assessment?

In almost all cases, yes. Under 32 CFR 170.19 and the DoD CIO CMMC Level 2 Scoping Guide, a backup that stores CUI is a CUI Asset assessed against the Level 2 requirements. Backup tooling that protects CUI systems without holding CUI is a Security Protection Asset and is still in scope.

Can a POA&M cover a backup gap?

Only within the rule's limits. 32 CFR Part 170 sets strict conditions on what can go on a Plan of Action and Milestones and requires conditional statuses to be closed out within 180 days. Don't assume a missing backup control can simply be deferred — confirm eligibility against the rule.

What if our prime requires backup proof before award?

DFARS 252.204-7021 requires contractors to have and maintain the required CMMC status for systems that process, store, or transmit FCI or CUI, and its substance flows down to subcontracts and other contractual instruments — excluding commercial off-the-shelf items — when the subcontractor will process, store, or transmit FCI or CUI. If a prime is asking, treat it as a real award condition, not a formality.

Does CMMC Level 2 use NIST SP 800-171 Revision 2 or Revision 3?

CMMC Level 2 currently maps to NIST SP 800-171 Revision 2, which 32 CFR Part 170 incorporates by reference. Revision 3 exists and renumbers the backup control, but it is not the controlling version for CMMC unless and until DoD amends the rule.

The bottom line

Backups are where a lot of CMMC plans quietly go sideways — not because the controls are exotic, but because the question gets framed wrong. You don’t need a “CMMC certified backup product,” because none exists. You need a backup whose data lives somewhere CMMC and DFARS allow, encrypted the way the rule requires, documented the way an assessor expects, and tested so it actually works on a bad day.

Get those right and backup stops being a liability and becomes one more piece of evidence that you control your CUI. Get them wrong and it’s the finding that costs you a re-architecture — or a contract.

Also relevant: CMMC Compliant File Sharing · NIST 800-171 Gap Analysis · Managed IT Services for Defense Contractors