Rubrik
by Rubrik
Covered
9
controls
Partial
2
controls
Gaps
3
controls
Overview
Rubrik by Rubrik is a backup & recovery solution that covers 9 NIST 800-171 controls (8% total coverage). It addresses key requirements in the backup & recovery domain for defense contractors pursuing CMMC compliance.
Implementation Notes
Deploy Rubrik with FIPS-validated configurations. Integrate with your SIEM for centralized audit logging. Review partial controls quarterly to identify supplementary tooling needs.
More Backup & Recovery Products
Implementation Guidance for Rubrik
Configure Rubrik for NIST 800-171 compliance by implementing these key controls: For System and Information Integrity (SI) family, enable continuous data monitoring with automated backup verification using Rubrik's Live Mount feature to ensure backup integrity. Configure anomaly detection policies through the Security Cloud to identify ransomware patterns and unauthorized data changes. Set backup frequency to align with Recovery Point Objectives in your contingency plan. For Contingency Planning (CP) controls, establish automated backup schedules across all CUI systems using SLA policies, ensuring geographic distribution through Rubrik's cloud archival to Azure/AWS. Configure instant recovery capabilities with Live Mount for critical systems to meet Recovery Time Objectives. For Audit and Accountability (AU), enable comprehensive logging of all backup operations, recovery events, and administrative actions through the Rubrik audit trail. Export logs to your SIEM via API integration for centralized monitoring. For Maintenance (MA) controls, implement role-based access controls limiting backup administration to authorized personnel only. Generate compliance reports using Rubrik's built-in reporting engine showing backup success rates, retention compliance, and recovery testing results. Integrate with Active Directory for authentication and with security tools like Splunk or QRadar for log correlation. Common misconfigurations include insufficient backup frequency for CUI data, lack of offsite backup verification, inadequate access controls on backup administrators, and failure to test recovery procedures regularly. Ensure encryption-at-rest and in-transit is properly configured for all backup data containing CUI.
Gap Analysis & Compensating Controls
The 3 uncovered NIST controls likely fall in Access Control (AC), System and Communications Protection (SC), and Configuration Management (CM) families where Rubrik has limited native capabilities. Access Control gaps require implementing dedicated Identity and Access Management solutions like CyberArk or Okta to handle multi-factor authentication, privileged access management, and session recording requirements. For System and Communications Protection, deploy network security tools such as Palo Alto firewalls or Cisco ISE for boundary protection and network segmentation that Rubrik cannot provide. Configuration Management gaps need dedicated tools like Red Hat Satellite or Microsoft WSUS for patch management and baseline configuration enforcement. Document these gaps in your System Security Plan by clearly stating Rubrik's role as backup/recovery only, with specific references to compensating controls. In your Plan of Action and Milestones, prioritize Access Control gaps first as they carry highest CMMC assessment weight, followed by boundary protection controls. System hardening and configuration management gaps can be addressed in subsequent phases. Ensure your assessment evidence clearly delineates which security functions are handled by Rubrik versus other tools to avoid C3PAO confusion during assessment. These gaps are common in point solutions and should not impact overall NIST 800-171 compliance when properly compensated with additional security tools in your technology stack.
Compliance Cost Estimate
Rubrik licensing ranges from $15,000-$50,000 annually depending on data volume and features required, with enterprise editions needed for compliance features costing toward the higher end. Implementation costs include 40-80 hours of professional services at $200-300/hour for initial configuration, policy setup, and integration with existing infrastructure. Ongoing monitoring requires dedicated backup administrator time (0.25-0.5 FTE) plus annual maintenance at 20% of license cost. Compared to competitors like Veeam or Commvault, Rubrik's total cost of ownership is 15-25% higher but offers superior cloud integration and automation capabilities. The compliance-specific features and built-in reporting justify the premium for defense contractors needing NIST 800-171 documentation. Factor in additional costs for cloud storage if using Rubrik's archival features, typically $0.02-0.05 per GB monthly.
Compliance Cross-References
Rubrik directly supports DFARS 252.204-7012 requirements for adequate security and safeguarding of covered defense information through its backup encryption and secure recovery capabilities. For CMMC Level 2, Rubrik addresses Asset Management (AM.2.061) through automated discovery and backup of CUI systems, and System Recovery (SI.2.214) with documented backup and recovery procedures. It supports Audit and Accountability (AU.2.041) by maintaining comprehensive logs of backup operations. However, additional tools are required for Access Control (AC.2.007-AC.2.016) and System and Communications Protection domains. For FedRAMP alignment, Rubrik's cloud components can leverage FedRAMP authorized cloud service providers but the solution itself requires separate authorization. CMMC assessment objectives satisfied include demonstrating documented backup procedures, encryption of backup data, and recovery testing evidence. Assessors will require evidence of successful backup verification, geographic separation of backups, and integration with incident response procedures. Additional tools needed for complete CMMC Level 2 compliance include endpoint protection, network security appliances, and privileged access management solutions to address the remaining assessment objectives not covered by backup and recovery functions alone.
Frequently Asked Questions
How many NIST 800-171 controls does Rubrik cover?
Rubrik covers 9 of 110 NIST 800-171 controls (8%), with 2 partially covered and 3 gaps.
Can Rubrik alone satisfy CMMC Level 2?
No single tool covers all 110 NIST 800-171 controls. Rubrik covers 8% and should be part of a layered security stack addressing the remaining controls.
What controls does Rubrik not cover?
Rubrik does not cover controls ia-3-5-1, pe-3-10-1, ac-3-1-12. These require supplementary solutions such as physical security controls, additional access management, or media protection tools.
Map Your Full Security Stack
See NIST 800-171 control coverage for 80+ security products.
Open NIST Tool MapperTrack Rubrik NIST 800-171 coverage updates with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days