3.13.16 — Protect the Confidentiality of CUI at Rest

CUI sitting on a hard drive, USB drive, or in a database needs to be encrypted so that if someone physically steals the device or gains unauthorized access to storage, they cannot read the data.

Example 1: Enable BitLocker on all laptops and workstations that process or store CUI. Deploy via GPO: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives -- require TPM + startup PIN. For removable drives, enable BitLocker To Go under the Removable Data Drives section and set it to deny write access to drives that are not BitLocker-encrypted.

Example 2: For CUI stored in SharePoint Online or OneDrive, Microsoft applies encryption at rest by default using service-level encryption with AES-256. Go further by applying Microsoft Purview sensitivity labels to CUI files -- these labels apply persistent encryption and access controls that travel with the file, even if it is downloaded or forwarded. Configure labels in the Microsoft Purview compliance portal > Information protection > Labels.