Data at Rest

Data at rest refers to data that is stored and not currently being transmitted or processed — files on hard drives, records in databases, documents in cloud storage, and data on backup media. Protecting data at rest means ensuring stored data is encrypted and access-controlled so that even if a storage device is lost or stolen, the data remains protected.

For CUI, FIPS-validated encryption of data at rest is a CMMC requirement. This means using full-disk encryption on laptops, encrypting databases containing CUI, and ensuring cloud storage is properly encrypted — all using FIPS 140-2 or 140-3 validated cryptographic modules.

Why It Matters

CMMC requires encryption of CUI at rest. A lost or stolen laptop without encryption is a CUI breach that must be reported. Implementing FIPS-validated encryption on all storage locations for CUI is a concrete, verifiable requirement.