CUI sitting on disks, laptops, and drives should be encrypted.
What it actually means
Protect the confidentiality of CUI at rest — stored on servers, workstations, laptops, and removable media. Full-disk encryption (BitLocker, FileVault) on every device that holds CUI is the standard approach, plus encryption for backups and removable media. Pair it with FIPS-validated cryptography (3.13.11).
Pass or fail — an assessor needs a "yes" to each
- Is full-disk encryption enabled on all devices that store CUI, including laptops?
- Are backups and removable media holding CUI encrypted?
What to have ready
- Encryption status report (BitLocker / FileVault) across devices
- Backup and removable-media encryption configuration
Where teams trip up
- Desktops and servers left unencrypted because 'they don't leave the building'
- Encrypted laptops but plaintext backups
To fully satisfy this alongside 3.13.11, the at-rest encryption must be FIPS-validated. Most BitLocker / FileVault deployments can run in a FIPS-validated mode.
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →