SC.L2-3.13.5: Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI at rest

📖 What This Means

This control requires encrypting sensitive data (CUI) when it's stored ('at rest') to prevent unauthorized access if the storage is compromised. Think of it like putting a lock on a filing cabinet—even if someone gets physical access, they can't read the documents without the key. For example, encrypting engineering drawings on a server or financial records in a database. The goal is to ensure that if a laptop is stolen or a hard drive is lost, the data remains protected.

🎯 Why It Matters

Unencrypted data at rest is a prime target for attackers. A 2023 Verizon report found that 45% of breaches involved data stored insecurely. For defense contractors, losing CUI could mean contract penalties (up to $11,000 per violation under DFARS), reputational damage, or national security risks. The DoD mandates this because encrypted data renders stolen information useless without cryptographic keys. Example: In 2020, a defense subcontractor faced a $8.5M penalty after unencrypted blueprints were exfiltrated from an unsecured server.

✅ How to Implement

1. Enable encryption for all storage services (e.g., AWS S3 default encryption, Azure Storage Service Encryption).
2. Use cloud-native KMS (Key Management Service) with FIPS 140-2 validated modules (e.g., AWS KMS, Azure Key Vault).
3. Apply encryption to databases (e.g., AWS RDS with TDE, Azure SQL Transparent Data Encryption).
4. Encrypt VM disks (e.g., AWS EBS encryption, Azure Disk Encryption with BitLocker).
5. Enforce encryption via IAM policies (e.g., AWS S3 bucket policies denying unencrypted uploads).
6. Log all key usage in cloud provider logs (e.g., AWS CloudTrail for KMS events).

⏱️

Estimated Effort

2-3 days for initial setup (mid-level IT skills), plus 2 hours/month for maintenance.

📋 Evidence Examples

Encryption Policy

Format: PDF/DOCX

Frequency: Annual review

Contents: Defines approved algorithms (AES-256), key management procedures, and roles.

Collection: Export from document management system.

Screenshot of BitLocker status

Format: PNG/JPEG

Frequency: Quarterly

Contents: Show 'Encryption on' for all drives in Windows Control Panel.

Collection: Snipping Tool + file naming convention (DeviceName_Date).

AWS KMS key rotation log

Format: CSV

Frequency: 90 days

Contents: Timestamp, key ID, rotation status.

Collection: AWS CLI: `aws kms list-keys --query 'Keys[*].KeyId'`

SQL Server TDE configuration

Format: SQL query output

Frequency: After changes

Contents: `SELECT name, is_encrypted FROM sys.databases` showing 1 for CUI databases.

Collection: Run in SSMS, save as .sql file.

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For SC.L2-3.13.5 ("Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI at rest"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your network security architecture, including segmentation, encryption standards, VPN configuration, session management, key management, and monitoring capabilities. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"SC.L2-3.13.5 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to implement cryptographic mechanisms to prevent unauthorized disclosure of cui at .... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"SC.L2-3.13.5 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to implement cryptographic mechanisms to prevent unauthorized disclosure of cui at .... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"SC.L2-3.13.5 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Document network architecture with CUI boundary clearly marked
• Identify all encryption mechanisms (at rest and in transit)
• Specify network monitoring and IDS/IPS deployment
• Ensure this control covers all systems within your defined CUI boundary where implement cryptographic mechanisms to prevent unauthorized disclosure of cui at rest applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 System and Communications Protection Policy
📄 Network architecture diagram
📄 Firewall rule documentation
📄 Encryption configuration documentation
📄 Evidence artifacts specific to SC.L2-3.13.5
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will review network diagrams for proper segmentation, test encryption settings, verify VPN split tunneling is disabled, and check FIPS 140-2 validation of cryptographic modules.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Is all CUI stored on systems (including backups) encrypted using FIPS 140-2 validated modules?

✅ YES → Proceed to Q2

❌ NO → GAP: Enable BitLocker/LUKS for workstations and TDE for databases within 14 days.

Remediation:

Use `manage-bde -status` (Windows) or `cryptsetup status` (Linux) to verify.

Question 2: Are encryption keys rotated at least annually (or per organizational policy)?

✅ YES → Proceed to Q3

❌ NO → GAP: Schedule key rotation in AWS KMS/Azure Key Vault within 7 days.

Remediation:

Set calendar reminders for rotation dates.

Question 3: Is there documentation showing encryption methods for each CUI storage location?

✅ YES → Compliant

❌ NO → GAP: Create a matrix mapping CUI locations to encryption types within 10 days.

Remediation:

Template: Location | Data Type | Encryption Method | Key Management

⚠️ Common Mistakes (What Auditors Flag)

1. Encrypting only some CUI storage locations.

Why this happens: Overlooking legacy systems or assuming cloud providers handle encryption.

How to avoid: Inventory all CUI storage (spreadsheets, databases, file shares) and verify encryption per location.

2. Storing encryption keys with encrypted data.

Why this happens: Convenience (e.g., BitLocker recovery key on same drive).

How to avoid: Store keys in separate physical/cloud location (e.g., print recovery keys to sealed envelope in safe).

3. No evidence of FIPS 140-2 validation.

Why this happens: Using non-compliant tools like older TrueCrypt versions.

How to avoid: Verify modules at https://csrc.nist.gov/projects/cryptographic-module-validation-program.

📚 Parent Policy

This practice is governed by the System and Communications Protection Policy

View SC Policy →

📚 Related Controls

SC.L2-3.13.16 (Cryptographic key management) MP.L2-3.8.3 (Media encryption) IA.L2-3.5.10 (Authenticator protection)