NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-28(1)Cryptographic Protection

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param, sc-28.01_odp.01 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields.

Practitioner Notes

Use cryptographic mechanisms specifically to protect the confidentiality and integrity of data at rest — encryption is mandatory, not optional.

Example 1: Use AES-256 encryption for all data at rest. For file servers, use BitLocker. For databases, use TDE or Always Encrypted. For cloud storage, enable server-side encryption with customer-managed keys in Azure Key Vault or AWS KMS.

Example 2: Encrypt backup data before it leaves your server. Configure your backup solution (Veeam, Commvault) to use AES-256 encryption with a key stored separately from the backup media. A stolen backup tape is useless without the decryption key.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability