A98: Yes, the mapped NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, control (SC-8), notes that this requirement is to protect the confidentiality of CUI information at rest when it is located on storage devices as specific components of information systems and that “organizations may employ different mechanisms to achieve confidentiality protection, including the use of cryptographic mechanisms and file share scanning.” Thus, encryption is an option, not a requirement.

Q98: Security Requirement 3.13.16 – Protect the Confidentiality of CUI at rest. Can CUI be stored at rest in any non-mobile device or data center, unencrypted, as long as it is protected by other approved logical or physical methods?