Protect the confidentiality of CUI at rest
π What This Means
This practice requires ensuring that Controlled Unclassified Information (CUI) stored on devices or systems is kept confidential and secure. This means encrypting the data so that even if someone gains unauthorized access to the storage medium, they cannot read or use the information. Think of it like locking a safeβonly authorized individuals with the key can open it. For example, encrypting files on a laptop or database ensures that if the device is stolen, the data remains protected. Another example is encrypting backups stored on external drives to prevent unauthorized access if the drive is lost or stolen. The goal is to prevent data breaches and unauthorized disclosure of sensitive information.
π― Why It Matters
Failure to protect CUI at rest can lead to severe consequences, including data breaches, financial losses, and reputational damage. For instance, in 2019, a defense contractor faced a breach exposing sensitive military data due to unencrypted storage devices. Such incidents can cost millions in fines, litigation, and lost contracts. From a DoD perspective, protecting CUI at rest is critical to maintaining national security and ensuring that sensitive information does not fall into the wrong hands. CMMC emphasizes this control to mitigate risks associated with unauthorized access to stored data, ensuring compliance with federal regulations and safeguarding defense-related information.
β How to Implement
- Enable encryption for all storage services (e.g., AWS S3, Azure Blob Storage, Google Cloud Storage).
- Use managed encryption keys or bring your own key (BYOK) for granular control.
- Configure access controls to restrict who can view or modify encrypted data.
- Enable logging and monitoring for encryption-related activities.
- Test encryption settings periodically to ensure they are functioning correctly.
π Evidence Examples
Encryption policy document
Encryption configuration screenshots
Encryption key management logs
Encryption test results
Employee training records
π SSP Guidance
Use this guidance when writing the System Security Plan (SSP) narrative for this control.
How to Write the SSP Narrative
For SC.L2-3.13.16 ("Protect the confidentiality of CUI at rest"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your network security architecture, including segmentation, encryption standards, VPN configuration, session management, key management, and monitoring capabilities. Be specific -- name your actual products, settings, and responsible personnel.
Example SSP Narratives
"SC.L2-3.13.16 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to protect the confidentiality of cui at rest. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."
"SC.L2-3.13.16 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to protect the confidentiality of cui at rest. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."
"SC.L2-3.13.16 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."
System Boundary Considerations
- β’ Document network architecture with CUI boundary clearly marked
- β’ Identify all encryption mechanisms (at rest and in transit)
- β’ Specify network monitoring and IDS/IPS deployment
- β’ Ensure this control covers all systems within your defined CUI boundary where protect the confidentiality of cui at rest applies
- β’ Document any systems where this control is not applicable and explain why
Key Documentation to Reference in SSP
- π System and Communications Protection Policy
- π Network architecture diagram
- π Firewall rule documentation
- π Encryption configuration documentation
- π Evidence artifacts specific to SC.L2-3.13.16
- π POA&M entry if control is not fully implemented
What the Assessor Looks For
The assessor will review network diagrams for proper segmentation, test encryption settings, verify VPN split tunneling is disabled, and check FIPS 140-2 validation of cryptographic modules.
π¬ Self-Assessment Questions
Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.
Question 1: Is all CUI stored on your systems encrypted?
Question 2: Are encryption keys securely managed and stored?
Question 3: Are encryption settings periodically tested?
Question 4: Are employees trained on encryption policies?
Question 5: Are encryption logs monitored and reviewed?
β οΈ Common Mistakes (What Auditors Flag)
1. Not encrypting backups.
2. Using weak encryption algorithms.
3. Failing to rotate encryption keys.
4. Inconsistent encryption across hybrid environments.
5. Not documenting encryption configurations.
π Parent Policy
This practice is governed by the System and Communications Protection Policy