SC.L2-3.13.16 Data at Rest

Protect the confidentiality of CUI at rest.

Source: NIST SP 800-171 Rev 2 3.13.16

Discussion: Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. See [NIST CRYPTO].

Assessment Objectives:

Determine if:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing protection of information at rest; security plan; system design documentation; list of information at rest requiring confidentiality protections; system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer].

Test: [SELECT FROM: Mechanisms supporting or implementing confidentiality protections for information at rest].

SPRS Score: 1

POA&M Allowed: Yes