SC-28—Protection of Information at Rest

IL4 Mod

IL4 High

IL5

IL6

>Control Description

Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: ⚙organization-defined information at rest.

>DoD Impact Level Requirements

FedRAMP Parameter Values

SC-28 [confidentiality AND integrity]

Additional Requirements and Guidance

SC-28 Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest. SC-28 Guidance: When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured. SC-28 Guidance: Note that this enhancement requires the use of cryptography in accordance with SC-13.

>Discussion

Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information.

Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning.

Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage.

>Programmatic Queries

Beta

Related Services

KMS

S3 Encryption

EBS Encryption

RDS Encryption

CLI Commands

List KMS keys

aws kms list-keys

Check S3 bucket encryption

aws s3api get-bucket-encryption --bucket BUCKET_NAME

Check EBS default encryption

aws ec2 get-ebs-encryption-by-default

List encrypted EBS volumes

aws ec2 describe-volumes --filters 'Name=encrypted,Values=true'

Open AWS Console Documentation

>Related Controls

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What policies govern the implementation of protection of information at rest?
•How are system and communications protection requirements defined and maintained?
•Who is responsible for configuring and maintaining the security controls specified in SC-28?
•What is your cryptographic key management policy?

Technical Implementation:

•How is protection of information at rest technically implemented in your environment?
•What systems, tools, or configurations enforce this protection requirement?
•How do you ensure that protection of information at rest remains effective as the system evolves?
•What network boundary protections are in place (firewalls, gateways, etc.)?
•What encryption mechanisms and algorithms are used to protect data?

Evidence & Documentation:

•What documentation demonstrates the implementation of SC-28?
•Can you provide configuration evidence or system diagrams showing this protection control?
•What logs or monitoring data verify that this control is functioning correctly?
•Can you provide network architecture diagrams and firewall rulesets?
•Can you demonstrate that FIPS 140-2 validated cryptography is used?

Ask AI

Configure your API key to use AI features.