What CMMC Does Not Say About Recovering From Ransomware
A defense contractor can hold a clean CMMC assessment and still lose access to its own controlled unclassified information for a week to ransomware. The certificate measures whether you keep CUI confidential. It says almost nothing about whether you can get it back.
The gap is easy to miss because CMMC feels thorough while you prepare for it. The program rule, 32 CFR Part 170, became effective on 16 December 2024, and the assessment is demanding. Its demand is pointed almost entirely at protecting CUI from disclosure, not at proving you can recover it after a destructive attack.
What CMMC certifies
CMMC Level 2, the level that applies to contractors handling CUI, incorporates the 110 security requirements of NIST SP 800-171 Revision 2 by reference. An assessment checks those requirements against the 320 objectives in NIST SP 800-171A. NIST has since published Revision 3, but 32 CFR Part 170 points to Revision 2, so Revision 2 is the version a CMMC assessment uses today.
The standard does include an incident response family. Requirement 3.6.1 calls for an operational incident-handling capability that covers preparation, detection, analysis, containment, and recovery. That is a process requirement. It asks you to have a capability, not to demonstrate that a specific recovery point is clean and restorable.
800-171 was written for one purpose: protecting CUI from unauthorized disclosure. Confidentiality is the design goal, which is why nearly every requirement maps to access, encryption, monitoring, or media handling. Availability and clean recovery were never the objective, so the absence of a recovery-proof requirement is by design rather than an oversight.
The incident response family reinforces this. Requirement 3.6.2 covers tracking and reporting incidents, and 3.6.3 requires testing the incident response capability. Testing the capability means exercising the plan. It does not mean restoring a system and confirming the recovered data is free of the attacker.
The recovery blind spot in 800-171
The clearest way to see the gap is the one control that names backups. Requirement 3.8.9 says to “protect the confidentiality of backup CUI at storage locations.” It sits in the Media Protection family, and it is about keeping backups encrypted and secret.
That is a confidentiality control. It does nothing to confirm the backup is free of ransomware, restorable, or current enough to matter. A contractor can satisfy 3.8.9 in full with an encrypted backup that happens to contain the attacker, and the assessment will not catch it.
CUI availability is the exposure the certificate misses
For a defense contractor, ransomware threatens CUI on two fronts. One is disclosure: many ransomware crews now exfiltrate before they encrypt, and stolen CUI is exactly what makes the defense base a target. That front is what CMMC is built to defend. The other is availability, and it is the side the certificate barely measures. Encrypted engineering data, program files, and delivery systems may never leave the building, and the program still stops while they are locked.
A contractor that cannot produce its CUI cannot meet milestones, ship, or invoice, certified or not. The CMMC certificate on the wall does not shorten that outage by an hour, because availability and clean restoration were never what it measured.
Picture a midsize supplier with a passing Level 2 assessment. Ransomware encrypts the file share holding CUI for an active program after dwelling for two weeks. Its backups are encrypted at rest, exactly as 3.8.9 requires, but the recent ones captured the intrusion. The team spends days restoring candidates to find one that predates the compromise, and the program deliverable slips while it does.
The gap flows down to your subcontractors
CMMC obligations follow the CUI. A prime contractor that flows CUI down to subcontractors carries their recovery posture as part of its own delivery risk. A subcontractor that is confidentiality-certified but cannot recover the CUI it processes is a single point of failure for the prime’s program.
The practical step is to extend the same recovery question down the chain: ask subcontractors for the clean-copy evidence the certification does not require, alongside proof of their certificate.
What to add beyond the certificate
Closing this is not a matter of waiting for a future CMMC level. It is adding the recovery evidence the standard does not ask for. Inspect the backups that hold CUI for ransomware and unauthorized encryption. Keep a named, most-recent clean recovery point for the systems the contract depends on, and hold the evidence.
A Level 2 certification also lasts three years, with an annual affirmation in between. Recovery readiness does not hold still that long, because the last clean recovery point changes every day. That makes it a continuous-validation problem rather than a point-in-time checkbox.
Ransomware recovery starts with a provable clean recovery point is the practice this calls for. The recovery view for security leaders sets out the clean-copy evidence a prime can ask for and a sub can hold, which is exactly what 3.8.9 never required.
Run a Recovery Posture Assessment
Find out which side your CUI is on. Inspect the backups that hold CUI and name the most recent recovery point you can prove is clean, by system.
Sources
[1] National Archives, 32 CFR Part 170, Cybersecurity Maturity Model Certification (CMMC) Program, effective 16 December 2024
[2] NIST, SP 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Superseded by Revision 3 (May 2024); CMMC continues to reference Revision 2 via 32 CFR Part 170
[3] Elastio, Active Cyber Resilience for Security Leaders
[4] Elastio, Ransomware Recovery Starts With a Provable Clean Recovery Point
[5] Elastio, Recovery Posture Assessment
[6] NIST, SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information
Can you prove your recovery points are clean?
Your board will ask if you can recover clean. This checklist lets you answer with evidence.
