System and Communications Protection 3.13.16 (3.13.16)

Protect the confidentiality of CUI at rest.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to protect Controlled Unclassified Information (CUI) when it is stored on devices and not actively being used or transmitted. The primary method is encryption of stored data, though other protective measures like secure offline storage or continuous monitoring may be acceptable when encryption is not feasible. The focus is on ensuring that if storage media is lost, stolen, or accessed by unauthorized parties, the CUI remains unreadable and protected.

Control Intent

Prevent unauthorized disclosure of CUI by protecting its confidentiality when stored on organizational systems and storage devices.

Who This Control Applies To

  • All systems and storage devices that store CUI
  • Servers, workstations, laptops, and mobile devices containing CUI
  • Network-attached storage (NAS) and storage area networks (SAN) with CUI
  • Removable media (USB drives, external hard drives, backup tapes) containing CUI
  • Cloud storage services and virtual machines storing CUI
  • Database systems containing CUI
  • File shares and shared drives with CUI
  • Backup and archive systems containing CUI

Not Applicable When

  • Systems that only process or transmit CUI but never store it (extremely rare in practice)
  • Systems that have been formally scoped out of the CUI environment
  • Paper-based CUI storage (covered by physical security controls, not this technical control)

Key Objectives

  • 1Ensure CUI stored on organizational systems remains confidential and protected from unauthorized access
  • 2Implement technical controls that render CUI unreadable to unauthorized parties who gain physical or logical access to storage media
  • 3Maintain protection of CUI throughout its lifecycle while in a stored state

Sample Self-Assessment Questions (Partial)

Does your organization store CUI on any computers, servers, or storage devices?

Are laptops or mobile devices used to store CUI?

Implementation Approaches (High-Level)

Full Disk Encryption (FDE) / BitLocker / FileVault

Operating system-level encryption that encrypts entire disk volumes, protecting all data at rest including system files, applications, and user data.

File-Level or Folder-Level Encryption

Encryption applied to specific files, folders, or file shares containing CUI rather than entire disk volumes.

Database Encryption (TDE - Transparent Data Encryption)

Encryption of database files, backups, and transaction logs at the database engine level, protecting CUI stored in database systems.

Cloud Storage Encryption

Encryption of CUI stored in cloud services using provider-managed or customer-managed encryption keys.

Backup and Archive Encryption

Encryption of backup media, backup files, and archived data containing CUI.

Removable Media Encryption

Encryption of USB drives, external hard drives, and other removable storage devices used to store or transport CUI.

Virtual Machine and Virtual Disk Encryption

Encryption of virtual machine disk files and virtual hard disks in virtualized environments.

Secure Offline Storage (Compensating Control)

Physical security controls for CUI stored offline when encryption is not technically feasible, used as a compensating control.

Continuous Monitoring for Malicious Code (Compensating Control)

Enhanced monitoring and malware detection as a compensating control when encryption cannot be implemented, focused on detecting unauthorized access to CUI at rest.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If encryption is not currently implemented, POA&M should include specific timeline for encryption deployment on each system type Prioritize encryption of mobile devices and removable media due to higher risk of physical loss For legacy systems that cannot support encryption, POA&M should document compensating controls and migration or retirement timeline POA&M should address encryption key management procedures if not currently documented If backups are not encrypted, this should be high priority POA&M item due to common backup theft or loss scenarios Cloud storage encryption gaps should be addressed quickly as configuration changes are typically low-effort POA&M should include encryption verification and monitoring procedures if not currently in place For large environments, consider phased encryption deployment with highest-risk systems first POA&M should address any gaps in encryption coverage across the full data lifecycle (production, backup, archive)

Related CMMC Controls

3.13.83.13.113.1.193.8.93.13.13.13.23.14.7

Frequently Asked Questions

What is the difference between encrypting data at rest versus data in transit?

Data at rest refers to information stored on devices (hard drives, databases, backups) when not actively being used or transmitted. Data in transit refers to information moving across networks. This control (3.13.16) specifically addresses protection of stored data, while control 3.13.8 addresses data in transit. Both types of encryption are required for complete CUI protection.

Is full disk encryption sufficient to meet this control requirement?

Full disk encryption (like BitLocker or FileVault) is generally sufficient for protecting CUI at rest on workstations, laptops, and servers. However, you must also ensure that backups, removable media, cloud storage, and databases containing CUI are separately encrypted, as full disk encryption on one system does not protect CUI stored elsewhere.

Can we use cloud storage services that encrypt data by default, or do we need additional encryption?

Cloud services that encrypt data at rest by default (like Microsoft 365, AWS, Azure) generally meet this control requirement. However, you should verify encryption is actually enabled, understand whether you control the encryption keys, and ensure the encryption meets FIPS 140-2 standards. Some organizations implement additional customer-managed encryption for enhanced control over keys.

What should we do if we have legacy systems that cannot support encryption?

Legacy systems that cannot support encryption require documented risk acceptance and compensating controls. Acceptable compensating controls include physical security (locked rooms, restricted access), enhanced monitoring and malware detection, or moving CUI off the legacy system entirely. You should also have a plan to migrate or retire systems that cannot be encrypted.

Do we need to encrypt every file that might temporarily contain CUI, like email attachments or downloaded documents?

Yes, if CUI is stored on a system, the entire storage volume should be encrypted to protect CUI regardless of where it temporarily resides (downloads folder, email cache, temporary files, etc.). This is why full disk encryption is often preferred over file-level encryption—it protects CUI even in temporary or unexpected locations.

How do we prove to an assessor that our encryption is working correctly?

Assessors typically verify encryption through configuration screenshots, status reports from encryption management tools, and live demonstrations on sample systems. You should be able to show encryption status for representative systems, demonstrate that encryption keys are properly managed, and provide evidence that encryption is monitored and verified regularly. Simply having encryption software installed is not sufficient—you must prove it is active and properly configured.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.