SC.L2-3.13.16

SC.L2-3.13.16: Data at Rest

Protect CUI at rest.

Data sitting on a hard drive without encryption is vulnerable. SC.L2-3.13.16 requires that CUI at rest is protected through encryption. This includes local storage, backups, and removable media. The assessor will verify that all storage containing CUI is encrypted. Part of the broader SC.L2-3.13.11 encryption strategy (which covers both transit and rest) and supported by SC.L2-3.13.10 (key management).

Family System and Communications Protection
Practice SC.L2-3.13.16
Difficulty Medium
Key evidence Encryption policy, BitLocker/FileVault verification, database encryption, backup encryption

What the assessor is actually evaluating

The assessor will check:

  1. Encryption of workstations and servers: All systems storing CUI should have full-disk encryption (BitLocker, FileVault, or equivalent).

  2. Database encryption: If CUI is stored in databases, Transparent Data Encryption (TDE) or equivalent should be enabled.

  3. Backup encryption: All backups of CUI must be encrypted.

  4. Removable media protection: USB drives, external drives, and portable devices must be encrypted.

  5. Cloud storage encryption: If CUI is stored in cloud services, encryption must be enabled.

What a realistic SSP definition looks like

Policy: “The organization encrypts all CUI at rest using FIPS-validated encryption. This includes all workstations, servers, databases, backups, and removable media. BitLocker is enabled on all Windows systems. FileVault is enabled on all Macs. Databases use Transparent Data Encryption. Backups are encrypted using AES-256. Removable media must be encrypted before use.”

Supporting details:

  • Workstations and servers: BitLocker is enabled on all Windows systems with Group Policy enforcement. FileVault is enabled on all Macs.
  • Databases: SQL Server uses Transparent Data Encryption. Other databases use encryption with AES-256 or stronger.
  • Backups: Backup software is configured to encrypt all backups using AES-256. Backups stored offsite are also encrypted.
  • Removable media: USB drives issued to users come pre-encrypted. Users are required to encrypt personal USB drives before use.
  • Cloud storage: Cloud services are configured with encryption enabled. Keys are managed according to vendor recommendations.

How to present your evidence

  • Encryption at rest policy document: Describes encryption requirements for all storage types.
  • BitLocker verification: Screenshots showing BitLocker is enabled on Windows systems. Show drive encryption status and recovery key backup procedures.
  • FileVault verification: For Mac systems, show FileVault is enabled.
  • Database encryption verification: For SQL Server, show Transparent Data Encryption is enabled. For other databases, show encryption settings.
  • Backup encryption verification: Show backup software configuration with encryption enabled. Provide backup logs showing encrypted backups.
  • Removable media encryption: Show that USB drives and external drives are encrypted. Provide documentation of encryption policy for removable media.
  • Cloud storage encryption: If CUI is in cloud services, show encryption is enabled in the service configuration.
Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: “Tell me how you protect CUI at rest. What encryption do you use?”

You: “All systems storing CUI have full-disk encryption. BitLocker on Windows, FileVault on Mac. Databases have TDE enabled. Backups are encrypted. Removable media are encrypted.” [Pull up encryption policy and verification screenshots]

Assessor: “Show me BitLocker is enabled on a system.”

You: [Open Manage-bde command or Settings showing BitLocker is on. Display protection status and encryption percentage]

Assessor: “What about your database?”

You: “SQL Server has Transparent Data Encryption enabled. All data is encrypted at rest.” [Pull up SQL Server configuration showing TDE is enabled]

Assessor: “Are your backups encrypted?”

You: “Yes. Our backup software is configured to encrypt all backups using AES-256. Here are the last month’s backup logs showing encrypted status.” [Pull up backup logs]

Common failures

No full-disk encryption: Workstations or servers do not have BitLocker or FileVault enabled. If a device is stolen, CUI is readable.

Database is not encrypted: CUI is stored in plaintext in a database. Anyone with access can read the data.

Backups are unencrypted: Backup files contain plaintext CUI. An attacker with backup access can recover data.

Removable media is not encrypted: USB drives or external drives containing CUI are not encrypted.

No encryption in cloud storage: CUI is stored in a cloud service without encryption enabled.

Thorough encryption at rest: All systems, databases, backups, and removable media are encrypted. Encryption is verified on multiple systems.

Consistent enforcement: Encryption is enforced via policy. Users cannot disable it.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP/MSSP

If your MSP manages systems or backups, ensure the service agreement specifies that all data at rest is encrypted. Request verification that BitLocker or FileVault is enabled on managed systems. Confirm backups are encrypted. You are responsible for ensuring CUI at rest is protected, even if stored or managed externally.

This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← SI.L2-3.14.1: Flaw Remediation All Practices SC.L2-3.13.15: Communications Authenticity →