GRCWatch
Sign inStart free trial

SC.L2-3.13.16: Protect Controlled Unclassified Information at Rest

Data at rest represents your most vulnerable attack surface—unencrypted files on servers, backups, and endpoints are prime targets for breach. SC.L2-3.13.16 requires you to implement cryptographic controls to protect CUI when it's not in transit, ensuring confidentiality even if storage media is compromised or stolen.

What this means

This control mandates that all Controlled Unclassified Information stored on your systems—whether on hard drives, databases, cloud storage, or backup media—must be protected using encryption or equivalent cryptographic mechanisms. The goal is to render CUI unreadable to unauthorized parties if physical media is accessed, removed, or intercepted.

How to comply

  1. 1.Inventory all systems and storage locations where CUI resides (databases, file servers, cloud storage, backups, endpoints)
  2. 2.Implement AES-256 or stronger encryption for all CUI at rest across storage media
  3. 3.Configure full-disk encryption or volume-level encryption on all devices storing CUI
  4. 4.Encrypt database files and backup sets using FIPS 140-2 validated cryptographic modules
  5. 5.Establish and maintain cryptographic key management processes (generation, storage, rotation, destruction)
  6. 6.Document encryption standards, algorithms, and key handling procedures in security policies
  7. 7.Apply encryption consistently across production systems, development environments, and disaster recovery systems
  8. 8.Test decryption capabilities regularly to ensure recovery procedures work when needed

Evidence auditors look for

  • Encryption configuration reports showing AES-256 enabled on all storage volumes
  • Database encryption settings documentation (Transparent Data Encryption, column-level encryption)
  • Backup encryption logs and retention policies
  • Full-disk encryption deployment screenshots (BitLocker, FileVault, dm-crypt status)
  • Cloud storage encryption settings (S3 default encryption, Azure Storage Service Encryption)
  • Key management system documentation and audit logs
  • Encryption algorithm validation certificates (FIPS 140-2 compliance)
  • Annual encryption effectiveness testing results

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically discovers unencrypted CUI storage across your infrastructure, monitors encryption algorithm compliance, and tracks key rotation schedules—eliminating manual audits and encryption blind spots.

See how GRCWatch handles this control automatically

Start free trial

Related controls

SC.L2-3.13.1 — Confidentiality of CUISC.L2-3.13.15 — Data in TransitSI.L2-3.14.1 — Information System MonitoringAC.L2-3.1.1 — Access ControlCA.L2-3.15.1 — System and Communications Protection