For CMMC, the backup that counts is one that survives the thing that destroys everything else — an offsite, encrypted, immutable copy of your data. Cloud backup is the cleanest way for a small shop to get that third copy, satisfying the recovery intent behind the Media Protection controls. IDrive and Backblaze are the two I point contractors at first: both encrypt in transit and at rest, both keep versioned history, and both are cheap enough that "we couldn't afford it" stops being an excuse.
Nobody fails a CMMC assessment because their backups were too good. But plenty of small contractors have watched a ransomware crew encrypt the server and the backup drive sitting right next to it in the same instant — because they were on the same network, in the same building, with the same admin credentials. That's not a backup. That's a second copy in the blast radius.
Media Protection (MP) is one of the fourteen control families in NIST SP 800-171, and CMMC Level 2 is built on all 110 of those controls. MP is about controlling, protecting, and — when the time comes — sanitizing the media your data lives on. Recovery is the other half of the story: if you can't restore your systems and your controlled data after a failure, you don't really have the resilience the framework is asking for. An offsite backup is where those two ideas meet.
I've stood up backup for shops with a single server and for shops with a rack. The pattern that holds every time is old, boring, and correct: three copies, two kinds of media, one of them offsite and out of reach. Cloud is how most small contractors get that offsite leg without renting a second office. Here's how to think about it, and the two services I actually recommend.
Think about the three things that end a small contractor's month: a drive dies, the office floods or burns, or ransomware walks in through a phishing email. A backup sitting on a USB drive plugged into the same machine survives none of them. A backup on a NAS in the same room survives the dead drive but not the fire or the theft. Only a copy that lives somewhere else — a different building, a different city, a cloud region — survives all three.
That's the whole argument. Media Protection asks you to protect the media your controlled data lives on, and the recovery expectation asks you to be able to bring your systems back. An offsite copy is the single cheapest way to answer both at once. When an assessor asks how you'd recover from a ransomware event, "we restore from our encrypted cloud backup, and here's the log showing we tested it last quarter" is a complete answer. "We have a backup drive in the server closet" is not.
You'll see 3-2-1 in every backup guide ever written, because it's right. Here's the whole thing:
For a typical small shop that shakes out to: your working files, a local backup on a NAS you control, and a third encrypted copy in the cloud. The NAS gives you fast restores when someone fat-fingers a folder. The cloud gives you the survivable offsite copy for the day the building is the problem. Neither replaces the other — that's the point of two media types.
3-2-1 isn't written into NIST 800-171 by name. But it's the simplest architecture that satisfies the recovery and media-protection intent an assessor is looking for, and — more importantly — it's the one that actually saves you. Compliance is the reason you'll write it down. Not losing the business is the reason you'll do it.
Here's the detail that separates a modern backup from a 2010 one. Ransomware crews learned years ago that the first thing to destroy is the backup. If your cloud copy uses the same credentials as your live environment, or if it just mirrors whatever's on the server, the attacker encrypts your data and then reaches over and encrypts or deletes the backup too. Now you're paying the ransom.
Immutable backups shut that down. An immutable copy — sometimes called object lock, WORM (write once, read many), or version-locked storage — can't be altered or deleted for a set retention window, even by an account with admin rights. The attacker can encrypt your live data all day; the recovery copy sits there untouchable until the retention clock says otherwise. That's the difference between restoring on Tuesday afternoon and wiring Bitcoin to strangers.
When you evaluate a cloud backup for a contractor environment, immutability and versioned history are the features that matter most. Versioning means you can roll back to a point before the encryption happened; immutability means the attacker couldn't have poisoned that history in the first place. Both directly support the recovery and system-integrity intent behind the controls.
Media Protection is largely a story about encryption. A stolen laptop, a lost backup drive, an intercepted upload — encryption is what makes those a non-event instead of a spill. So any backup you'd trust with contractor data needs to encrypt in transit (as it uploads) and at rest (while it sits in the cloud).
The better providers go one step further and offer a private encryption key — meaning the data is encrypted before it leaves your machine with a key only you hold, so even the provider can't read it. That's the strongest posture for protecting the media, and it's what I'd choose for anything touching controlled data.
You don't need a boutique GovCloud contract to get a solid offsite copy in place. For most small contractors, one of these two does the job at a price that removes every excuse. Both encrypt in transit and at rest, both keep versioned history, and both let you hold your own private key.
IDrive is the one I hand most small shops first. It backs up whole machines — servers, workstations, external drives, even NAS — under one account instead of charging per device, keeps up to 30 previous versions of every file, and offers private-key (end-to-end) encryption so the data is locked before it leaves your network. There's real-time and scheduled backup, and for a large first seed or a large restore they'll physically ship you a drive so you're not waiting on the internet. For a contractor building the offsite leg of 3-2-1, it hits the recovery and Media Protection intent without the enterprise price tag.
Backblaze is the set-it-and-forget-it pick. Its Personal/Business Backup is unlimited for a flat per-computer price, so it just quietly protects every workstation without you doing math. For the technical shop, Backblaze B2 object storage supports Object Lock — true immutable, ransomware-proof backups you can point tools like Veeam or your NAS at as an offsite target. Data is encrypted in transit and at rest, with an optional private key. If you want the offsite copy running by the end of the day with the least fuss, this is it — and B2 with Object Lock is how you get the immutability that matters most.
Which one? If you want a single service that backs up entire machines — including your NAS — under one bill, start with IDrive. If you want dead-simple per-computer backup or you're a more technical shop that wants Object-Lock immutability behind your existing backup software, go Backblaze. Plenty of contractors end up using both: IDrive for the whole-device coverage, B2 as the immutable target. There's no rule against belt and suspenders when the downside is losing the contract.
A backup you have never restored is a rumor. I've watched a shop discover, at the exact worst moment, that their nightly job had been silently failing for five weeks — plenty of green checkmarks, zero recoverable data. The only way you actually know your backup works is to restore from it.
So build the habit: at least once a quarter, pull a real file back from the cloud copy, and periodically run a full recovery to confirm you can stand systems back up end to end. Then write it down — the date, what you restored, that it worked. That short log is the recovery evidence an assessor wants to see, and the test itself is what keeps a bad backup from becoming a bad day. It takes fifteen minutes. Do it.
Want to know where your whole control set stands before you build anything else? The free SPRS score estimator tells you where you sit against the 110 controls in about two minutes — a fast baseline before you spend a dollar.
An offsite backup is one control done right. Passing the assessment means documenting all of them: a System Security Plan written to your environment, the 20 required policies, a POA&M template, and the per-control SPRS scorer. The CMMC Level 2 DIY Compliance Kit is the whole paperwork layer, editable, built for a small shop doing this itself.
CMMC Level 2 mirrors the 110 controls in NIST SP 800-171, and several of them — Media Protection and system recovery among them — expect you to protect backup media and be able to restore your systems after a failure. A single onsite backup sitting next to the server it protects fails both goals the moment there's a fire, theft, or ransomware event. An encrypted offsite copy, whether cloud or physically rotated, is how most small shops satisfy the recovery and media-protection intent.
Keep three copies of your data, on two different types of media, with one copy offsite. In practice that's your live data, a local backup on a NAS or drive, and a third encrypted copy in the cloud or rotated offsite. It's not a CMMC requirement by name, but it's the simplest pattern that satisfies the recovery and media-protection intent auditors are checking for — and it's what actually saves you when a drive dies or ransomware hits.
For most small contractors the answer is both. A local NAS gives you fast, private, encrypted restores and a backup target you control. Cloud backup gives you the offsite, geographically separate copy that survives a fire or theft. Cloud is the third leg of 3-2-1, not a replacement for the local copy — restoring hundreds of gigabytes over the internet is slow, so you want the NAS for speed and the cloud for survivability.
Immutable backups can't be altered or deleted for a set retention window, even by someone with admin credentials. That matters because modern ransomware hunts down and encrypts or wipes your backups first, then your live data. Object-lock or versioned, immutable storage means the attacker can't destroy your recovery copy, so you can restore instead of paying. It directly supports the recovery intent behind the Media Protection and system-integrity controls.
Good backup providers encrypt data in transit and at rest, and the better ones offer a private encryption key so only you can unlock it. That protects the media, which is the Media Protection control. It is a separate question from whether the encryption module is FIPS 140-2 or 140-3 validated for protecting CUI itself — confirm the provider's FIPS posture and where your data is stored, and document both in your SSP rather than assuming the marketing page answers it for you.
A backup you've never restored is a hope, not a control. Test a real restore at least quarterly — pull a file, and periodically stand up a full recovery — and keep a short log of the date, what you restored, and that it worked. That log is exactly the evidence an assessor wants to see, and the test is what keeps a bad backup from surprising you on the worst possible day.