3.13.16 — Encrypt CUI at Rest

What It Says

Protect the confidentiality of CUI at rest.

What It Actually Means

CUI must be encrypted on every storage location:

Workstations/laptops — BitLocker (Windows), FileVault (Mac). Full disk encryption.
Servers — BitLocker for Windows Server, LUKS for Linux. Volume-level encryption.
Databases — Transparent Data Encryption (TDE) for SQL Server, equivalent for other databases.
Cloud storage — Azure Blob encryption, S3 server-side encryption, with customer-managed keys preferred.
Backups — backup media encrypted with the same standards as production data.
File shares — SMB 3.0 encryption or file-level encryption via sensitivity labels.

All encryption must use FIPS-validated modules (per 3.13.11). BitLocker in FIPS mode, SQL TDE with FIPS-validated provider, etc.

The assessor will check: Is BitLocker on? On every device? Can you prove it via MDM? Are servers encrypted? Is the database encrypted? What about backups?

The most reliable evidence: an MDM compliance dashboard showing 100% BitLocker coverage across all managed devices.

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is CUI encrypted at rest?	Every storage location with CUI has encryption enabled — verified via MDM/compliance dashboard
2	Is the encryption FIPS-validated?	FIPS mode enabled, validation certificates available

What to Have Ready on Assessment Day

Documents they’ll review: System and communications protection policy; system security plan; system configuration settings showing encryption at rest; MDM compliance reports; database encryption configuration; backup encryption settings; FIPS validation certificates

People they’ll talk to: System or network administrators; personnel with information security responsibilities; database administrators

Live demos they’ll ask for: Encryption verification on workstations, servers, databases; MDM compliance report; backup encryption configuration

The Assessor’s Playbook

These are the actual questions. Have answers ready.

“Is BitLocker enabled on all workstations? Show me the compliance dashboard.”
“Are your servers encrypted? Show me the configuration.”
“Is your database encrypted? What method — TDE, column-level, application-level?”
“Are backups encrypted? Show me the backup encryption settings.”
“Is the encryption FIPS-validated? Show me the FIPS mode configuration.”
“Where are BitLocker recovery keys stored? Show me one.”

Where Companies Trip Up

Some workstations not encrypted. 98% isn’t 100%. Every CUI device must have BitLocker. Check MDM compliance for the missing 2%.

Server data unencrypted. BitLocker on workstations but server file shares sitting on unencrypted volumes.

Database not encrypted. CUI in SQL Server without TDE. Enable it — it’s a single configuration change for SQL Server.

Backups unencrypted. Production is encrypted but backups are in the clear. Backups contain the same CUI.

FIPS mode not enabled. BitLocker is on but FIPS mode isn’t enabled via GPO. The encryption works but isn’t running in FIPS-validated mode.

Recovery keys lost. BitLocker on but recovery keys not stored centrally. Can’t prove encryption is manageable.

How to Talk About This

Connected Requirements

Requirement	Why it matters here
3.13.11 — FIPS or It Doesn’t Count	At-rest encryption must use FIPS-validated modules
3.13.8 — Encrypt in Transit	Companion: this is at rest, that’s in transit
3.8.9 — Protect Your Backups	Backup encryption is part of this requirement
3.1.19 — Encrypt CUI on Mobile	Mobile device encryption — subset of at-rest encryption
3.13.10 — Manage Your Keys	Keys for this encryption managed under key management process

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

CMMC Practice ID: SC.L2-3.13.16 | SPRS Weight: 1 point | POA&M Eligible: Yes