Compliance Considerations When Backing Up Microsoft 365 Data
Ensure your Microsoft 365 backups meet compliance requirements for CMMC, NIST 800-171, and other regulations. Learn key considerations to avoid violations.
This is Post #5 of our Cloud Backup Planning & Assessment for Microsoft 365 and Azure Series
If you missed the earlier posts, start here to get the full picture:

Microsoft has tools built into the Microsoft 365 platform to assist you with your backup and recovery needs. However, the responsibility for taking care of this ultimately falls on you as the user. You can’t rely solely on what they have provided as it is still your responsibility for any lost or damaged files in the event of a data loss scenario. With this in mind, compliance is exceedingly important while working on your Microsoft 365 backup projects.
Understanding the Shared Responsibility Model
It might seem as though you are entirely on your own when it comes to protecting and securing your data, but that isn’t quite right either. In reality, Microsoft operates on a shared responsibility model that splits up the responsibility for backup protection between the company and the user. Here are some things that Microsoft is responsible for:
-
Physical Security of the Data Centers - The company maintains the physical security of the data centers where information is stored. They hire security personnel to ensure that those centers remain safe.
-
Network and Application Uptime - It is the responsibility of Microsoft to make certain that its applications are available for you to use whenever necessary. They aim for greater than 99.5% uptime.
-
Providing Updates/Patches - The company also is tasked with providing software updates/patches to its existing infrastructure as time goes on to help take care of any known threats or issues within the Microsoft 365 platform.
On the other hand, the user is responsible for the following:
-
Protecting Against Accidental Deletions - You get moving too fast and it is all too easy to accidentally delete something that you did not intend to. When that happens, you ultimately have to take responsibility for it. Microsoft cannot go in and correct the accidental deletion for you.
-
Meeting Compliance and Legal Standards - The laws and rules around data retention and backups are things that you should study and be familiar with. You must meet the legal and compliance standards surrounding the type of data that you retain for your customers. Failure to do so could possibly lead to significant legal and financial consequences .
-
Ensuring the Recoverability of Important Data - You need to look into how you can recover the most important types of data within your business infrastructure. This is on you to do, and Microsoft cannot jump in to assist you with something like this.
There are certain responsibilities that fall squarely on the shoulders of each party. You should make yourself familiar with what your responsibilities are so that you know what steps to take to meet your obligations.
Key Compliance Considerations in Backups
Certain considerations need to climb to the top of the list when thinking about how you will approach backing up your data within the Microsoft 365 platform. Here are some of the top things that you want to include on that list:
-
Data Retention Policies - What are the specific pieces of data that you need to retain and for how long? If you don’t have specific answers to those questions, then you need to spend a bit more time thinking about your data retention policies. You need a highly specific set of policies for this because you don’t want to find yourself scrambling to figure this all out.
-
Access Control - One of the reasons why some data leaks happen is because people who have no legitimate reason access certain data end up with it in their hands anyway. You should work hard to take care of that issue immediately. Don’t leave access to your sensitive files in the hands of just anyone. Instead, limit use to those who have a true business reason to access that information.
-
Geolocation of Backup Storage - The physical space where you store your backup data is also something worthy of your attention. Ideally, you will store backup copies of your data away from the main data centers. This is a redundancy that can help you avoid complete disaster if something happens to your main data storage location.
Keep all of these things in mind and consider taking this project on step-by-step. It is a lot of work to tackle, but it is well worth it to know that your backup procedures are in place and ready to go.
Backing Up CUI, FCI, or ITAR Data in Microsoft 365
Any data that falls into the category of CUI, FCI, or ITAR data is extremely sensitive because it is some of the most highly protected government data in existence. However, private entities sometimes have access to this data if they are partnering with the government in any way to manage and use that data. Therefore, if you find yourself in possession of CUI, FCI, or ITAR data, you need to understand how to keep that information secure and compliant.
Fact: This type of data is at an extremely heightened risk of cyberattack. Foreign actors have a particular interest in trying to steal this data for nefarious reason, and that is why you need to follow all compliance standards, including DFARS 252.204-7012, NIST SP 800-171, CMMC, and ITAR rules when backing up this data. Those rules are in place for a reason, and that is to ensure that the data is as secure as it possibly can to protect our nation and her secrets.
Best Practices for Setting Up Your Microsoft 365 Backup Strategy
There are a few tactics that have emerged over the years as the ideal way to perform your Microsoft 365 backup strategy. Among the things that should be at the top of your list include:
-
Documenting Your Strategy - Make certain that you have fully documented your Microsoft 365 backup strategy so that you can see how it plays out over time as you continue to fine-tune it.
-
Automate Retention Rules and Policies - Don’t leave anything to chance. Instead, automate as many of the retention policies you can so that everyone is on the same page whenever possible.
-
Conduct Regular Audits - Ongoing audits are essential for verifying compliance with regulatory requirements, detecting potential risks, and ensuring that corrective measures are implemented before issues escalate.
Keeping your data safe and fully backed up is by far the best way to have peace of mind. For more information on how to take every necessary step to get there, contact us today.