Skip to Content

NIST 800-171 - Protection of Information at Rest (3.13.16)

208  Matthew Burdick September 26, 2022  System and Communications Protection

Overview:
Protect the confidentiality of CUI at rest.


Action Items:
3.13.16[a]
Determine if: the confidentiality of CUI at rest is protected


POTENTIAL ASSESSMENT METHODS AND OBJECTS


1
Examine: System and communications protection policy; procedures addressing protection of information at rest; system security plan; system design documentation; list of information at rest requiring confidentiality protections; system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; other relevant documents or records].


2
Interview: System or network administrators; personnel with information security responsibilities; system developer].


3
Test: Mechanisms supporting or implementing confidentiality protections for information at rest].


Related Documents (document name and content will vary by organization):
1) System and communications protection policy
2) procedures addressing protection of information at rest
3) system security plan
4) system design documentation
5) list of information at rest requiring confidentiality protections
6) system configuration settings and associated documentation
7) cryptographic mechanisms and associated configuration documentation
8) other relevant documents or records


Additional Guidance:
This requirement addresses the confidentiality of information at rest. Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also employ other safeguards including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. See NIST Cryptographic Standards.

 
Not Rated
Secure Code