SC.L2-3.13.8: Implement cryptographic mechanisms to prevent unauthorized disclosure at rest

📖 What This Means

This control requires organizations to use encryption to protect sensitive data when it is stored (at rest). Encryption transforms data into a format that can only be read by someone who has the correct decryption key. This ensures that even if unauthorized individuals gain access to the storage media (like hard drives, databases, or cloud storage), they cannot read the data. For example, encrypting customer information in a database or encrypting files on a laptop ensures that the data remains secure if the device is lost or stolen. This practice is essential for protecting sensitive information, especially in industries like defense contracting, where data breaches can have severe consequences.

🎯 Why It Matters

Data at rest is a prime target for cybercriminals because it is often stored in one location for extended periods, making it easier to exploit. Without encryption, unauthorized access to storage devices or databases can lead to data breaches, resulting in financial losses, reputational damage, and legal penalties. For example, in 2021, a major healthcare provider suffered a breach where unencrypted patient data was stolen, costing the company millions in fines and remediation. From a DoD/CMMC perspective, this control is critical because it ensures that Controlled Unclassified Information (CUI) is protected, even if physical or logical security measures fail.

✅ How to Implement

Enable server-side encryption for all storage services (e.g., AWS S3, Azure Blob Storage, Google Cloud Storage).
Use cloud provider-managed keys or bring your own key (BYOK) for encryption.
Encrypt databases using Transparent Data Encryption (TDE) for SQL databases or similar features for NoSQL databases.
Ensure encryption is enabled for virtual machine disks (e.g., AWS EBS, Azure Managed Disks).
Configure encryption for backups and snapshots.
Regularly audit encryption settings using cloud provider tools or third-party solutions.
Train staff on cloud encryption best practices and policies.

⏱️

Estimated Effort

Implementation typically takes 2-3 days for cloud environments and 3-5 days for on-premise setups. Requires intermediate skills in encryption and system administration.

📋 Evidence Examples

Encryption Policy Document

Format: PDF

Frequency: Annually or when updated.

Contents: Policy outlining encryption standards, key management procedures, and roles/responsibilities.

Collection: Export from document management system.

Encryption Configuration Screenshots

Format: PNG

Frequency: During audits or after changes.

Contents: Screenshots showing enabled encryption settings for databases, storage, and backups.

Collection: Capture from cloud console or system settings.

Key Management Logs

Format: CSV

Frequency: Monthly.

Contents: Logs showing key creation, rotation, and usage.

Collection: Export from key management solution.

Encryption Testing Results

Format: PDF

Frequency: Quarterly.

Contents: Documentation of decryption tests to ensure data accessibility.

Collection: Generate after testing.

Training Records

Format: Excel

Frequency: Annually.

Contents: Records of staff training on encryption policies.

Collection: Export from training management system.

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For SC.L2-3.13.8 ("Implement cryptographic mechanisms to prevent unauthorized disclosure at rest"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your network security architecture, including segmentation, encryption standards, VPN configuration, session management, key management, and monitoring capabilities. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"SC.L2-3.13.8 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to implement cryptographic mechanisms to prevent unauthorized disclosure at rest. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"SC.L2-3.13.8 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to implement cryptographic mechanisms to prevent unauthorized disclosure at rest. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"SC.L2-3.13.8 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Document network architecture with CUI boundary clearly marked
• Identify all encryption mechanisms (at rest and in transit)
• Specify network monitoring and IDS/IPS deployment
• Ensure this control covers all systems within your defined CUI boundary where implement cryptographic mechanisms to prevent unauthorized disclosure at rest applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 System and Communications Protection Policy
📄 Network architecture diagram
📄 Firewall rule documentation
📄 Encryption configuration documentation
📄 Evidence artifacts specific to SC.L2-3.13.8
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will review network diagrams for proper segmentation, test encryption settings, verify VPN split tunneling is disabled, and check FIPS 140-2 validation of cryptographic modules.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Is encryption enabled for all data at rest, including databases, storage, and backups?

✅ YES → Proceed to Q2.

❌ NO → GAP: Enable encryption for all relevant systems. Use tools like BitLocker or AWS S3 encryption. Complete within 1 week.

Remediation:

Enable encryption for all relevant systems. Use tools like BitLocker or AWS S3 encryption. Complete within 1 week.

Question 2: Are encryption keys managed securely using a key management solution?

✅ YES → Proceed to Q3.

❌ NO → GAP: Deploy a key management solution like AWS KMS or Azure Key Vault. Complete within 2 weeks.

Remediation:

Deploy a key management solution like AWS KMS or Azure Key Vault. Complete within 2 weeks.

Question 3: Are encryption policies documented and communicated to all relevant staff?

✅ YES → Proceed to Q4.

❌ NO → GAP: Draft and distribute encryption policies. Complete within 1 week.

Remediation:

Draft and distribute encryption policies. Complete within 1 week.

Question 4: Are decryption processes tested regularly to ensure data accessibility?

✅ YES → Proceed to Q5.

❌ NO → GAP: Schedule and document decryption tests. Complete within 2 weeks.

Remediation:

Schedule and document decryption tests. Complete within 2 weeks.

Question 5: Are encryption configurations audited periodically?

✅ YES → Compliant.

❌ NO → GAP: Conduct an audit of encryption settings and document findings. Complete within 1 month.

Remediation:

Conduct an audit of encryption settings and document findings. Complete within 1 month.

⚠️ Common Mistakes (What Auditors Flag)

1. Encryption not enabled for all data at rest.

Why this happens: Overlooking certain systems or storage types.

How to avoid: Conduct a comprehensive inventory of all data storage and ensure encryption is applied universally.

2. Using weak encryption algorithms.

Why this happens: Lack of awareness of FIPS 140-2 standards.

How to avoid: Always use FIPS 140-2 validated cryptographic modules.

3. Failure to securely manage encryption keys.

Why this happens: Reliance on manual key management processes.

How to avoid: Use a centralized key management solution like AWS KMS or Azure Key Vault.

4. Not testing decryption processes.

Why this happens: Assuming encryption will always work as intended.

How to avoid: Regularly test decryption to ensure data can be accessed when needed.

5. Incomplete documentation of encryption policies.

Why this happens: Focusing on implementation over documentation.

How to avoid: Document all encryption policies and ensure they are communicated to relevant staff.

📚 Parent Policy

This practice is governed by the System and Communications Protection Policy

View SC Policy →

📚 Related Controls

SC.L2-3.13.6 - Protect the confidentiality of CUI at rest. SC.L2-3.13.11 - Employ FIPS-validated cryptography. SC.L2-3.13.16 - Protect the confidentiality of CUI in transit.