NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-28(2)Offline Storage

Remove the following information from online storage and store offline in a secure location: {{ insert: param, sc-28.02_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Removing organizational information from online storage to offline storage eliminates the possibility of individuals gaining unauthorized access to the information through a network. Therefore, organizations may choose to move information to offline storage in lieu of protecting such information in online storage.

Practitioner Notes

Data stored offline (tapes, removable drives, cold storage) needs protection too — physical security and encryption for media that is not actively connected to your systems.

Example 1: Encrypt backup tapes before sending them to offsite storage with Iron Mountain or a similar service. Use hardware encryption on the tape drive (LTO encryption) with keys managed in your key management system. Track every tape with a barcode inventory system.

Example 2: For archived data on removable drives, use BitLocker To Go or VeraCrypt to encrypt the entire drive. Store the encrypted drives in a locked, access-controlled safe. Maintain a log of who accesses the safe and when, and verify the drives' integrity when they are accessed.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability