SC.L2-3.13.16 — Protect the confidentiality of CUI at rest.
What this control requires
Protect the confidentiality of CUI at rest.
Source: CMMC L2 v2.13 SC.L2-3.13.16 / NIST SP 800-171 R2 3.13.16 (official control text).
Why this matters
Data stored on hard drives, file shares, databases, and backup media is vulnerable to theft, unauthorized access, or exposure if devices are lost, stolen, or improperly decommissioned. This control requires encrypting CUI whenever it sits in storage—whether on laptops, servers, cloud object storage, or removable media. Without encryption at rest, an attacker who gains physical access to a drive or bypasses operating system controls can read sensitive contract data, technical specifications, or personnel records in plain text. Encryption renders stolen or improperly accessed storage unreadable without the correct cryptographic keys.
What evidence assessors expect
Assessors typically look for: screenshot, CSV export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on SC.L2-3.13.16.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →