GRCWatch
Sign inStart free trial

NIST 800-171 Control 3.13.16: Protecting CUI at Rest

Control 3.13.16 requires organizations to implement technical and administrative safeguards that protect the confidentiality of Controlled Unclassified Information (CUI) when stored. For government contractors and SMBs handling sensitive data, this means encrypting files, securing databases, and controlling access to physical and digital storage locations. Meeting this control is essential for maintaining NIST 800-171 compliance and protecting your organization from data breaches.

What this means

CUI at rest refers to sensitive unclassified information stored on servers, databases, cloud platforms, and physical media. This control requires you to ensure that stored CUI cannot be accessed, read, or compromised by unauthorized individuals. You must implement encryption, access controls, and secure storage practices to maintain confidentiality throughout the data lifecycle—from creation through archival or destruction.

How to comply

  1. 1.Encrypt all CUI stored on servers, databases, and cloud platforms using approved encryption algorithms (AES-256 or equivalent)
  2. 2.Implement access controls that limit which users and systems can retrieve stored CUI
  3. 3.Secure physical storage locations where CUI-bearing media is kept with locks, access logs, and environmental controls
  4. 4.Establish data retention and destruction policies that safely eliminate CUI when no longer needed
  5. 5.Monitor and audit access to CUI repositories to detect unauthorized retrieval attempts
  6. 6.Document your encryption standards, key management procedures, and storage security measures
  7. 7.Test encryption and access controls regularly to verify their effectiveness

Evidence auditors look for

  • Encryption implementation documentation showing algorithm type, key length, and deployment across all data repositories
  • Access control logs demonstrating restricted retrieval of CUI by role and user
  • Physical security assessments of server rooms, storage closets, and media vaults
  • Data classification inventory identifying what qualifies as CUI and where it is stored
  • Backup and disaster recovery procedures that maintain encryption during storage and recovery
  • Key management policies detailing generation, rotation, storage, and revocation of encryption keys
  • Audit logs from databases and systems showing who accessed CUI and when
  • Secure deletion verification reports confirming CUI destruction after retention periods expire

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates encryption inventory across your infrastructure, tracks access to CUI repositories in real-time, and generates audit evidence that demonstrates compliance with 3.13.16—eliminating manual log reviews and encryption audits.

See how GRCWatch handles this control automatically

Start free trial

Related controls

3.13.8 — Information in Transit Protection3.13.1 — System and Communications Protection Policy3.13.2 — Boundary Protection3.4.1 — Cryptographic Controls