Encryption at Rest

Encryption at rest protects data that is stored on physical media — hard drives, SSDs, databases, backup tapes, and cloud storage. Even if an attacker gains physical access to the storage media (through theft, improper disposal, or insider access), encryption prevents them from reading the data without the encryption key.

Common implementations include full-disk encryption (like BitLocker or FileVault), database encryption, file-level encryption, and cloud storage encryption. For CUI, the encryption must use FIPS 140-2 or FIPS 140-3 validated cryptographic modules.

Why It Matters

CMMC requires FIPS-validated encryption for CUI at rest. This is a concrete, verifiable requirement — assessors will confirm that storage locations containing CUI are encrypted and that the encryption uses validated modules. Verify your solutions against the NIST CMVP database.