Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. See [NIST CRYPTO].

Priority: High

Services Associated with AWS:

  1. AWS Key Management Service (KMS)
  2. Amazon S3
  3. Amazon Macie
  4. Amazon GuardDuty
  5. AWS Security Hub
  6. Amazon Inspector

What needs to be answered?

Are there controls used to protect CUI while stored in company information systems? Does the system protect the confidentiality of information at rest?

  • Confidentiality of CUI at Rest Check
    Description: This check verifies that CUI is stored securely when at rest. It ensures that cryptographic mechanisms are used to protect the data, and that secure offline storage is used when adequate online protection cannot be achieved. It also verifies that continuous monitoring is in place to identify potential threats.
  • File Share Scanning Check
    Description: This check verifies that file share scanning mechanisms are used to detect and protect CUI at rest. It ensures that scanning is done on a regular basis, and that any threats or unauthorized access attempts are identified and addressed.

More Details:

CUI at rest stored on encrypted and controlled systems.