NIST PR.DS-1: Protect Data at Rest
Data at rest—whether stored in databases, file systems, or backups—represents your organization's most vulnerable attack surface. PR.DS-1 requires that you encrypt, secure, and control access to inactive data so that breaches don't expose your most sensitive information. For SMBs managing customer records or intellectual property, this control is foundational to avoiding costly incidents.
What this means
PR.DS-1 mandates that all data stored across your infrastructure is protected against unauthorized access and theft. This includes encryption of sensitive data, secure key management, proper access controls, and secure disposal procedures. The control applies to data stored on servers, endpoints, cloud storage, and backup systems—anywhere data sits idle. Compliance means demonstrating that your organization has identified what data needs protection, applied appropriate safeguards, and verified those safeguards work.
How to comply
- 1.Inventory all data repositories (databases, file shares, cloud storage, backups) and classify data by sensitivity level.
- 2.Implement AES-256 or equivalent encryption for sensitive data at rest across all storage systems.
- 3.Establish and document encryption key management procedures, including generation, rotation, storage, and access controls.
- 4.Disable legacy unencrypted access methods and enforce encryption as a default setting in all data storage solutions.
- 5.Configure access controls so only authorized users and applications can decrypt and retrieve protected data.
- 6.Implement secure data disposal procedures (cryptographic erasure or physical destruction) for end-of-life data.
- 7.Test encryption and key recovery procedures quarterly to ensure they function as intended.
- 8.Document all data protection mechanisms and maintain evidence of encryption implementation across your environment.
Evidence auditors look for
- Encryption configuration reports from servers, databases, and cloud storage platforms showing AES-256 or stronger algorithms in use.
- Key management system documentation detailing how encryption keys are generated, stored, rotated, and protected.
- Access control logs proving only authorized personnel can access unencrypted keys or encrypted data.
- Data inventory spreadsheet mapping sensitive data types to storage locations and encryption status.
- Data disposal logs or certificates confirming encrypted or physically destroyed end-of-life data.
- Encryption testing results and validation reports from your most recent compliance audit or penetration test.
- Policies and procedures documentation for data protection, key management, and secure disposal.
- Cloud provider encryption attestations (AWS KMS, Azure Key Vault, GCP documentation) for data stored in managed services.
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch continuously monitors your servers, databases, and cloud storage to verify encryption is enabled, maps unencrypted data automatically, and generates audit-ready encryption reports—eliminating manual evidence gathering for PR.DS-1.
See how GRCWatch handles this control automatically
Start free trial