February 12, 2021

Last Updated on January 12, 2024

The Cybersecurity Maturity Model Certification (CMMC) framework is the foundation of US Department of Defense (DoD) efforts to protect Controlled Unclassified Information (CUI) across its enormous global supply chain. The framework consists of 171 practices stacked across 17 domains and 43 capabilities, with each practice also fitting into one of the framework’s five cybersecurity maturity levels.

The CMMC Recovery (RE) domain activities focus on keeping the organization operational so it can perform its mission, execute its business function and/or deliver its services. This includes getting your systems up and running smoothly after an interruption (e.g., a cyber attack, IT failure or natural disaster), and preventing the loss of sensitive data. If you don’t have a recovery plan in place that covers the most likely outage risks your organization faces, you cannot adequately protect the government’s data and intellectual property (IP)—or your own. In the case of defense data, this shortfall could threaten US national security or the lives of our service members.

The What are the CMMC Recovery Domain Practices?

Recovery domain defines four practices across CMMC levels 2, 3 and 5. Each Recovery practice falls under either of two CMMC capabilities:

  • Manage backups
  • Manage backup information security continuity

There are two Recovery domain practices required for compliance with CMMC Level 2, the “stepping stone” between Level 1 (required to handle Federal Contract Information (FCI)) and Level 3 (required to handle CUI):

  • 2.137 Regularly perform and test data backups.

This control is self-explanatory. You need backups to restore data after a hardware or software outage, ransomware attack or other failure. To ensure you don’t lose any data you can’t afford to be without, you must systematically perform backups based on a cadence that you define in relation to your business requirements. This control also requires you to test backups at routine intervals to ensure you have what you think you have. Note that this practice applies to “all” your data, not just CUI or FCI.

  • 2.138 Protect the confidentiality of backup CUI at storage locations.

This practice sounds simple, but it has broad implications. First of all, what are “storage locations”? This could be anything from Network Attached Storage (NAS) drives to cloud backups to FTP services to flash drives to internal hard drives on laptops. Likewise, acceptable methods to ensure confidentiality for CUI while “at rest” could include encryption, controlling access to the backed-up data, physically securing all storage locations that hold CUI, and controlling how backed-up CUI is used.

There is one Recovery domain practice at CMMC Level 3:

  • 3.139 Regularly perform complete, comprehensive and resilient data backups as organizationally defined.

To implement this practice, you need to put tools and processes in place to reliably backup data so it can be quickly and smoothly recovered “no matter what.” As the CMMC Appendix B points out, “When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted data. When the attackers are discovered, it can be extremely difficult for organizations without a trustworthy data recovery capability to remove all aspects of the attacker’s presence on the machine.” Therefore, you need regular backups that include complete system data (e.g., via imaging backups). And you need to ensure that all backups have at least one offline (not network connected) destination to protect them from malware and physical disasters like fire or flooding.

The fourth and final Recovery domain practice is only required at CMMC Level 5:

  • 5.140 Ensure information processing facilities meet organizationally defined information security continuity, redundancy, and availability requirements.

This control is about making your business and its cybersecurity components resilient, so that your controls can continue to protect CUI and ensure its availability even during an outage, data breach or other event. CMMC clarifies: “This practice requires an organization to do what is needed in order for their cybersecurity solutions to continue to function under stress or attack.” Typically, some combination of redundancy and continuity/hardening are required; e.g., setting up a redundant firewall that will automatically “cutover” if the primary firewall goes down.

What is needed to comply with the CMMC Recovery Domain controls?

The Recovery domain centers on managing backups and (at Level 5) ensuring resilience. Many organizations will be looking to automate most of these practices and procedures, especially where they want to achieve redundancy and fail-safes. A key approach, especially at Level 5, will be to eliminate single points of failure (SPOFs).

Beyond Level 2, cost and effort associated with achieving compliance with Recovery practices are likely to increase significantly. The total volume of data and number of systems you need to protect and the amount of CUI you handle will also impact your overall cost to establish a resilient, reliable and redundant backup process company-wide.

To coordinate backups and establish redundant/resilient procedures, many businesses will want to create a disaster recovery (DR) plan that identifies critical data assets and the contingencies for backing up and restoring them. DR plans can also include procedures like relocating critical work activities to alternate sites, keeping inventory buffers of critical products, and more.

Next steps

Looking for answers and peace of mind around your CMMC compliance goals? Contact Pivot Point Security to talk over your company’s unique scenario with a CMMC expert.