>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.13.16System and Communications Protection - Derived

Derived Requirement

>Control Description

Protect the confidentiality of CUI at rest.

>Discussion

Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning.

Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. See [NIST CRYPTO].

>Cross-Framework Mappings

CMMC

SC.L2-3.13.16
Compare

SCF

CRY-05
Compare
END-02
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What documented policies and procedures address system and communications protection - derived for CUI systems?
  • Who is accountable for implementing and maintaining system and communications protection - derived controls?
  • How frequently are system and communications protection - derived requirements reviewed, and what triggers updates?
  • What process ensures changes to systems maintain compliance with system and communications protection - derived requirements?
  • How are exceptions to system and communications protection - derived requirements documented and approved?

Technical Implementation:

  • What technical controls enforce system and communications protection - derived in your CUI environment?
  • How are system and communications protection - derived controls configured and maintained across all CUI systems?
  • What automated mechanisms support system and communications protection - derived compliance?
  • How do you validate that system and communications protection - derived implementations achieve their intended security outcome?
  • What compensating controls exist if primary system and communications protection - derived controls cannot be fully implemented?

Evidence & Documentation:

  • What documentation proves system and communications protection - derived is implemented and operating effectively?
  • Can you provide configuration evidence showing how system and communications protection - derived is technically enforced?
  • What audit logs or monitoring data demonstrate ongoing system and communications protection - derived compliance?
  • Can you show evidence of a recent review or assessment of system and communications protection - derived controls?
  • What artifacts would you provide to a CMMC assessor to demonstrate system and communications protection - derived compliance?

Ask AI

Configure your API key to use AI features.