CMMC Level 2
Control 3.13.16
Protect CUI at Rest
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Protect the confidentiality of CUI at rest.
What This Means in Plain English
CUI stored on any system must be encrypted. Whether on a server hard drive, a database, or cloud storage, CUI at rest must be protected so that physical theft of storage media does not expose the data.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- BitLocker full-disk encryption on all Windows workstations and servers containing CUI
- SQL Server Transparent Data Encryption (TDE) for databases containing CUI
- Microsoft 365 encryption for CUI stored in SharePoint and OneDrive
- Veeam backup encryption for all backup repositories containing CUI
- ComplianceArmor tracking encryption-at-rest status for all CUI storage locations
Assessment Guidance
Assessors will verify that CUI storage is encrypted at rest, check BitLocker status on workstations and servers, review database encryption configurations, and confirm that backup storage is encrypted.
Common Implementation Gaps
- CUI stored on unencrypted hard drives
- Databases containing CUI without encryption
- Cloud storage without encryption at rest
- Backup repositories unencrypted
- No inventory of CUI storage locations to verify encryption coverage
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | SC-28 |
| HIPAA | 164.312(a)(2)(iv) - Encryption and Decryption |
| PCI DSS | Req 3.4 - Render PAN unreadable anywhere it is stored |
Need Help Implementing 3.13.16?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment