Home / Guides / Cloud Backup for CMMC

Best Cloud Backup for CMMC: Offsite Media Protection That Recovers

Focus: cmmc cloud backup Veteran-run · practitioner guide Updated Jul 2026 ~9 min read
The short answer

For CMMC, the backup that counts is one that survives the thing that destroys everything else — an offsite, encrypted, immutable copy of your data. Cloud backup is the cleanest way for a small shop to get that third copy, satisfying the recovery intent behind the Media Protection controls. IDrive and Backblaze are the two I point contractors at first: both encrypt in transit and at rest, both keep versioned history, and both are cheap enough that "we couldn't afford it" stops being an excuse.

Nobody fails a CMMC assessment because their backups were too good. But plenty of small contractors have watched a ransomware crew encrypt the server and the backup drive sitting right next to it in the same instant — because they were on the same network, in the same building, with the same admin credentials. That's not a backup. That's a second copy in the blast radius.

Media Protection (MP) is one of the fourteen control families in NIST SP 800-171, and CMMC Level 2 is built on all 110 of those controls. MP is about controlling, protecting, and — when the time comes — sanitizing the media your data lives on. Recovery is the other half of the story: if you can't restore your systems and your controlled data after a failure, you don't really have the resilience the framework is asking for. An offsite backup is where those two ideas meet.

I've stood up backup for shops with a single server and for shops with a rack. The pattern that holds every time is old, boring, and correct: three copies, two kinds of media, one of them offsite and out of reach. Cloud is how most small contractors get that offsite leg without renting a second office. Here's how to think about it, and the two services I actually recommend.

Why offsite backup is a control, not a nicety

Think about the three things that end a small contractor's month: a drive dies, the office floods or burns, or ransomware walks in through a phishing email. A backup sitting on a USB drive plugged into the same machine survives none of them. A backup on a NAS in the same room survives the dead drive but not the fire or the theft. Only a copy that lives somewhere else — a different building, a different city, a cloud region — survives all three.

That's the whole argument. Media Protection asks you to protect the media your controlled data lives on, and the recovery expectation asks you to be able to bring your systems back. An offsite copy is the single cheapest way to answer both at once. When an assessor asks how you'd recover from a ransomware event, "we restore from our encrypted cloud backup, and here's the log showing we tested it last quarter" is a complete answer. "We have a backup drive in the server closet" is not.

Rule of thumb If your backup and the thing it protects can both be destroyed by one event — one fire, one theft, one ransomware run — you don't have a backup, you have a copy. Distance and immutability are what turn a copy into a control.

The 3-2-1 rule, in plain English

You'll see 3-2-1 in every backup guide ever written, because it's right. Here's the whole thing:

For a typical small shop that shakes out to: your working files, a local backup on a NAS you control, and a third encrypted copy in the cloud. The NAS gives you fast restores when someone fat-fingers a folder. The cloud gives you the survivable offsite copy for the day the building is the problem. Neither replaces the other — that's the point of two media types.

3-2-1 isn't written into NIST 800-171 by name. But it's the simplest architecture that satisfies the recovery and media-protection intent an assessor is looking for, and — more importantly — it's the one that actually saves you. Compliance is the reason you'll write it down. Not losing the business is the reason you'll do it.

The deadline that makes this urgent November 10, 2026 starts Phase 2, when Level 2 C3PAO third-party certification becomes a required condition of award on applicable DoD contracts. Backup and recovery evidence — including a tested restore log — is the kind of thing assessors ask for and shops scramble to produce. Stand up the offsite copy now so the evidence is already sitting in a folder when they ask.

Immutable backups vs. ransomware

Here's the detail that separates a modern backup from a 2010 one. Ransomware crews learned years ago that the first thing to destroy is the backup. If your cloud copy uses the same credentials as your live environment, or if it just mirrors whatever's on the server, the attacker encrypts your data and then reaches over and encrypts or deletes the backup too. Now you're paying the ransom.

Immutable backups shut that down. An immutable copy — sometimes called object lock, WORM (write once, read many), or version-locked storage — can't be altered or deleted for a set retention window, even by an account with admin rights. The attacker can encrypt your live data all day; the recovery copy sits there untouchable until the retention clock says otherwise. That's the difference between restoring on Tuesday afternoon and wiring Bitcoin to strangers.

When you evaluate a cloud backup for a contractor environment, immutability and versioned history are the features that matter most. Versioning means you can roll back to a point before the encryption happened; immutability means the attacker couldn't have poisoned that history in the first place. Both directly support the recovery and system-integrity intent behind the controls.

Encryption: what protects the media

Media Protection is largely a story about encryption. A stolen laptop, a lost backup drive, an intercepted upload — encryption is what makes those a non-event instead of a spill. So any backup you'd trust with contractor data needs to encrypt in transit (as it uploads) and at rest (while it sits in the cloud).

The better providers go one step further and offer a private encryption key — meaning the data is encrypted before it leaves your machine with a key only you hold, so even the provider can't read it. That's the strongest posture for protecting the media, and it's what I'd choose for anything touching controlled data.

Be honest in your SSP about this Provider-side encryption protects the media — that's the Media Protection control, and it's real. It is a separate question from whether the cryptographic module is FIPS 140-2 or 140-3 validated for protecting CUI itself, and from where your data is physically stored. Don't assume a marketing page answers either one. Confirm the provider's FIPS posture and data residency, and if you store CUI in the cloud, document that decision — and your FIPS-validated encryption path — explicitly. Write what's true, not what's convenient.

The two cloud backups I recommend

You don't need a boutique GovCloud contract to get a solid offsite copy in place. For most small contractors, one of these two does the job at a price that removes every excuse. Both encrypt in transit and at rest, both keep versioned history, and both let you hold your own private key.

IDrive

Best all-around · full-device backup

IDrive is the one I hand most small shops first. It backs up whole machines — servers, workstations, external drives, even NAS — under one account instead of charging per device, keeps up to 30 previous versions of every file, and offers private-key (end-to-end) encryption so the data is locked before it leaves your network. There's real-time and scheduled backup, and for a large first seed or a large restore they'll physically ship you a drive so you're not waiting on the internet. For a contractor building the offsite leg of 3-2-1, it hits the recovery and Media Protection intent without the enterprise price tag.

In-transit + at-rest encryptionPrivate key option30 versionsNAS + server backupMP.L2
Get IDrive cloud backup →

Backblaze

Simplest offsite · dead-simple pricing

Backblaze is the set-it-and-forget-it pick. Its Personal/Business Backup is unlimited for a flat per-computer price, so it just quietly protects every workstation without you doing math. For the technical shop, Backblaze B2 object storage supports Object Lock — true immutable, ransomware-proof backups you can point tools like Veeam or your NAS at as an offsite target. Data is encrypted in transit and at rest, with an optional private key. If you want the offsite copy running by the end of the day with the least fuss, this is it — and B2 with Object Lock is how you get the immutability that matters most.

In-transit + at-rest encryptionB2 Object Lock (immutable)Unlimited backup tierNAS-friendly targetMP.L2
Get Backblaze backup →

Which one? If you want a single service that backs up entire machines — including your NAS — under one bill, start with IDrive. If you want dead-simple per-computer backup or you're a more technical shop that wants Object-Lock immutability behind your existing backup software, go Backblaze. Plenty of contractors end up using both: IDrive for the whole-device coverage, B2 as the immutable target. There's no rule against belt and suspenders when the downside is losing the contract.

The on-prem companion Cloud is the offsite leg of 3-2-1 — not the whole thing. You still want a fast, private, local copy you control. That's the NAS. Read Best NAS for CMMC Backup for the local, on-prem half of this same story; pair it with one of the cloud services above and you've got all three copies covered.

The step everyone skips: test the restore

A backup you have never restored is a rumor. I've watched a shop discover, at the exact worst moment, that their nightly job had been silently failing for five weeks — plenty of green checkmarks, zero recoverable data. The only way you actually know your backup works is to restore from it.

So build the habit: at least once a quarter, pull a real file back from the cloud copy, and periodically run a full recovery to confirm you can stand systems back up end to end. Then write it down — the date, what you restored, that it worked. That short log is the recovery evidence an assessor wants to see, and the test itself is what keeps a bad backup from becoming a bad day. It takes fifteen minutes. Do it.

Want to know where your whole control set stands before you build anything else? The free SPRS score estimator tells you where you sit against the 110 controls in about two minutes — a fast baseline before you spend a dollar.

Skip the guesswork

Backups protect your data. This protects your contract.

An offsite backup is one control done right. Passing the assessment means documenting all of them: a System Security Plan written to your environment, the 20 required policies, a POA&M template, and the per-control SPRS scorer. The CMMC Level 2 DIY Compliance Kit is the whole paperwork layer, editable, built for a small shop doing this itself.

$2,995
one-time · lifetime updates · a fraction of a consultant's retainer
Audit-ready preparation for a fraction of consultant fees — not a substitute for your C3PAO assessment. Not legal advice.

Frequently asked questions

Does CMMC require an offsite or cloud backup?

CMMC Level 2 mirrors the 110 controls in NIST SP 800-171, and several of them — Media Protection and system recovery among them — expect you to protect backup media and be able to restore your systems after a failure. A single onsite backup sitting next to the server it protects fails both goals the moment there's a fire, theft, or ransomware event. An encrypted offsite copy, whether cloud or physically rotated, is how most small shops satisfy the recovery and media-protection intent.

What is the 3-2-1 backup rule?

Keep three copies of your data, on two different types of media, with one copy offsite. In practice that's your live data, a local backup on a NAS or drive, and a third encrypted copy in the cloud or rotated offsite. It's not a CMMC requirement by name, but it's the simplest pattern that satisfies the recovery and media-protection intent auditors are checking for — and it's what actually saves you when a drive dies or ransomware hits.

Is cloud backup enough, or do I still need a NAS?

For most small contractors the answer is both. A local NAS gives you fast, private, encrypted restores and a backup target you control. Cloud backup gives you the offsite, geographically separate copy that survives a fire or theft. Cloud is the third leg of 3-2-1, not a replacement for the local copy — restoring hundreds of gigabytes over the internet is slow, so you want the NAS for speed and the cloud for survivability.

Why does immutable backup matter for CMMC?

Immutable backups can't be altered or deleted for a set retention window, even by someone with admin credentials. That matters because modern ransomware hunts down and encrypts or wipes your backups first, then your live data. Object-lock or versioned, immutable storage means the attacker can't destroy your recovery copy, so you can restore instead of paying. It directly supports the recovery intent behind the Media Protection and system-integrity controls.

Does cloud backup handle encryption for CUI?

Good backup providers encrypt data in transit and at rest, and the better ones offer a private encryption key so only you can unlock it. That protects the media, which is the Media Protection control. It is a separate question from whether the encryption module is FIPS 140-2 or 140-3 validated for protecting CUI itself — confirm the provider's FIPS posture and where your data is stored, and document both in your SSP rather than assuming the marketing page answers it for you.

How often should a small contractor test restores?

A backup you've never restored is a hope, not a control. Test a real restore at least quarterly — pull a file, and periodically stand up a full recovery — and keep a short log of the date, what you restored, and that it worked. That log is exactly the evidence an assessor wants to see, and the test is what keeps a bad backup from surprising you on the worst possible day.