Level 5 CMMC - CMMC Practices

SC.3.191  

Reference: CMMC 1.02

Family: SC

Level Introduced: 3

Practice:
Protect the confidentiality of CUI at rest.

CMMC Clarification:
CUI at rest means information that does not move through the network and may be stored on hard drives, media, and mobile devices. Develop a scheme and implement the necessary security controls to protect the confidentiality of CUI at rest. Although an approved encryption method protects data stored at rest, there are other additional technical solutions. The scheme you choose should depend on your organization’s environment and business needs.

Example 1
You are an IT administrator at your organization responsible for protecting CUI at rest. Your company has a policy stating CUI must be protected at rest and you work to enforce that policy.

You research Full Disk Encryption (FDE) products that meet the FIPS encryption requirement. After testing, you roll out the encryption to all computers at your company to protect CUI at rest.

Example 2
You are an IT administrator for your company. While you have used encryption to protect the CUI on most of the computers at your company, you have some devices that do not support encryption. Your company creates a policy requiring these devices to be signed out when needed, stay in possession of the signer when checked out, and to be signed back in and locked up in a secured closet when the user is done with the device. At the end of the day each Friday, you audit the sign-out sheet and make sure all devices are returned to the closet.

3.13.16

Protect the confidentiality of CUI at rest.

Discussion:
Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. See [NIST CRYPTO].

Source: NIST Special Publication 800-171 Rev. 2

SC-28

PROTECTION OF INFORMATION AT REST

Description:
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].

Supplemental Guidance:
This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02