Not CUI Compliant
4 NIST 800-171 gaps detected. Not FedRAMP authorized. Consumer-grade backup with no CUI protections. Cannot be used for backing up CUI data.
Carbonite / CrashPlan
by OpenText / CrashPlan
FedRAMP Status
Not FedRAMP Authorized
Impact Level
N/A
Category
Backup & Recovery
Overview
Carbonite and CrashPlan are consumer-grade cloud backup solutions commonly used by small businesses. They lack FedRAMP authorization, government-grade encryption, and the audit controls required for CUI protection. CUI data must not be backed up to these platforms.
CUI Risk Assessment
Not FedRAMP authorized. Consumer-grade backup with no CUI protections. Cannot be used for backing up CUI data.
Using Carbonite / CrashPlan in a Defense Contractor Environment
Carbonite and CrashPlan present significant compliance risks for defense contractors handling CUI. These consumer-grade backup solutions are frequently encountered in DCMA assessments when contractors attempt to backup technical drawings (ITAR/EAR), financial data, or employee PII to unauthorized cloud services. Within a CMMC Level 2 authorization boundary, these tools create immediate violations as they transmit CUI outside the approved security perimeter without encryption or access controls. DCMA assessors consistently flag Carbonite/CrashPlan usage as critical findings, particularly under NIST 800-171 controls 3.1.1 (limiting system access), 3.8.1 (protecting CUI confidentiality), and 3.13.8 (transmission confidentiality). No compensating controls can remediate the fundamental issue that CUI is being stored on non-FedRAMP infrastructure. Recent DIBCAC reviews have specifically cited these backup solutions in non-compliance findings, noting that contractors often deploy them without IT oversight, creating shadow IT risks. The tools lack government-grade encryption, audit logging, and personnel security clearances required for CUI protection. Defense contractors must implement immediate containment by identifying all systems with these agents installed, verifying no CUI has been backed up, and replacing with FedRAMP Moderate authorized backup solutions before any CMMC assessment.
Deployment & Architecture
Deployment Model: Cloud SaaS (vendor-hosted)
Carbonite / CrashPlan lacks FedRAMP authorization. Using this tool for CUI processing violates DFARS 252.204-7012 requirements. Defense contractors must evaluate FedRAMP-authorized alternatives or implement and document compensating controls in their POA&M.
Migration Guidance
Defense contractors must immediately migrate away from Carbonite/CrashPlan to maintain CMMC compliance. The migration timeline typically requires 8-12 weeks across three phases: assessment (2 weeks), procurement (4-6 weeks), and deployment (2-4 weeks). Begin with forensic analysis to identify all endpoints with backup agents and verify whether CUI was inadvertently backed up - if CUI exposure occurred, immediate incident reporting under DFARS 252.204-7012 is required. Export non-CUI data using vendor tools while ensuring complete CUI data destruction from vendor systems with documented certificates. Procure FedRAMP Moderate alternatives like Druva inSync Gov, Carbonite Safe for Government, or Commvault Cloud (GovCloud). User training focuses on backup policy compliance and CUI identification, requiring 2-4 hours per user plus ongoing awareness. Update SSP Section 10 (Information System Architecture), authorization boundary diagrams to remove unauthorized cloud connections, and create POA&M entries for any interim risks. Document the migration in your SPRS score improvement plan. Recommended alternatives include Druva inSync Gov ($8-12/user/month), AWS Backup in GovCloud ($15-25/user/month), or on-premises Veeam solutions ($3,000-10,000 initial licensing). Total migration costs typically range $50,000-150,000 for mid-size contractors including licensing, professional services, and remediation efforts.
Migration Checklist
- 1ISSO must immediately audit all endpoints to identify Carbonite/CrashPlan installations and create inventory with system owners responsible for each deployment.
- 2Legal team must review data processing agreements to determine if CUI was backed up and assess breach notification requirements under DFARS 252.204-7012.
- 3Sysadmin must disable all Carbonite/CrashPlan backup agents and block network access to prevent further CUI transmission until compliant solution is deployed.
- 4ISSO must update SSP Section 10.2 to remove unauthorized cloud backup services from the authorization boundary diagram and data flow documentation.
- 5Contracts officer must procure FedRAMP Moderate authorized backup solution (Druva inSync Gov, Carbonite Safe for Government, or equivalent) within 30 days.
- 6Sysadmin must export non-CUI data using vendor export tools and document complete data deletion from Carbonite/CrashPlan systems with destruction certificates.
- 7ISSO must create POA&M entries documenting the unauthorized cloud backup usage and remediation timeline per NIST 800-171 requirements.
- 8System administrator must deploy replacement backup solution with proper CUI marking and encryption controls per NIST 800-171 SC-28 requirements.
- 9ISSO must conduct user training on backup policy compliance and CUI identification procedures to prevent future violations.
- 10ISSO must update SPRS score in SAM.gov to reflect remediation of backup security controls and prepare documentation for next DCMA assessment.
Compliance Cross-References
Carbonite/CrashPlan non-compliance creates cascading violations across multiple NIST 800-171 control families. Access Control (AC) violations occur under 3.1.1 as CUI gains unauthorized system access outside the approved boundary. System and Communications Protection (SC) controls 3.13.8 and 3.13.16 are violated through unencrypted CUI transmission to commercial cloud infrastructure. System and Information Integrity (SI) control 3.14.6 fails as contractors cannot monitor CUI within vendor systems. This triggers DFARS 252.204-7012 requirements for adequate security and incident reporting if CUI exposure occurred. Under CMMC Level 2, these violations affect Access Control (AC.L2-3.1.1), System and Communications Protection (SC.L2-3.13.8), and Audit and Accountability domains (AU.L2-3.3.1) since backup activities cannot be properly audited. The tool's commercial cloud deployment prevents FedRAMP Moderate boundary compliance, creating immediate disqualification from DoD contracts requiring CMMC Level 2 certification. Organizations must remediate these findings before CMMC assessment as no compensating controls exist for unauthorized CUI storage in commercial cloud services.
NIST 800-171 Violations
Using Carbonite / CrashPlan for CUI without FedRAMP authorization may violate these NIST 800-171 controls:
Need a CUI-Compliant Alternative?
Carbonite / CrashPlan has 4 NIST 800-171 gaps. Get real-time alerts when compliant alternatives launch, plus AI-matched contract opportunities.
FedRAMP Compliant Alternatives
Frequently Asked Questions
Can I use CrashPlan to back up CUI data?
No. CrashPlan and Carbonite are not FedRAMP authorized and lack the security controls required for CUI. Use Veeam Government or Commvault Government for compliant backup.
Run a Full Tech Stack Audit
Check all your enterprise tools at once with our free CUI Compliance Auditor.
Launch CUI AuditorTrack Carbonite / CrashPlan compliance monitoring with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days