This post gives a practical implementation checklist to secure cloud storage and SaaS so Controlled Unclassified Information (CUI) is protected at rest, aligning actions with NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2 (control SC.L2-3.13.16); it focuses on configuration steps, key management, SaaS-specific controls, and the operational evidence youβll need for compliance.
Why this control matters and a quick compliance overview
NIST 800-171 (3.13.x family) and the equivalent CMMC control require that organizations ensure the confidentiality (and often integrity) of CUI when it is stored in cloud or SaaS environments. For small businesses that handle DoD-related CUI, this usually means using encryption at rest, managing cryptographic keys securely, applying access controls, and documenting that the chosen cloud/SaaS provider meets an acceptable security baseline (for example, FedRAMP Moderate where applicable or equivalent contractual assurances). The implementation checklist below converts the requirement into concrete steps.
Implementation checklist β step-by-step
Step 1 β Inventory and classify data. Identify every storage location and SaaS service that may contain CUI: S3 buckets, Azure Blob containers, Google Cloud Storage buckets, SharePoint/OneDrive, Box, Slack attachments, backups, archival services. Label data in-place (metadata or classification labels) and record locations in your System Security Plan (SSP). Without a complete inventory you canβt validate encryption nor key custody.
Step 2 β Apply encryption at rest (practical configurations)
For each storage type, enable encryption at rest and prefer provider-managed keys only after evaluating risk; where required by policy use customer-managed keys (CMK/BYOK). Example configurations small businesses can apply immediately:
- AWS S3 β enable default server-side encryption with AWS KMS (SSE-KMS):
aws s3api put-bucket-encryption --bucket my-cui-bucket --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"arn:aws:kms:us-east-1:123456789012:key/abcd-efgh"}}]}' - AWS β block uploads that are not encrypted by bucket policy (deny PutObject if x-amz-server-side-encryption missing).
- Azure Blob Storage β enable Storage Service Encryption and configure a customer-managed key stored in Azure Key Vault (or use Managed HSM for higher assurance).
- Google Cloud Storage β set default KMS key for a bucket:
gsutil kms encryption -k projects/PROJECT/locations/global/keyRings/kr/cryptoKeys/key gs://my-cui-bucket - SaaS (Microsoft 365, Box, Dropbox Business) β enable native service encryption and, where available, Customer-Managed Keys (CMEK/Custodian key). For Microsoft, use Microsoft Purview / Service Encryption with Customer Key and Azure Key Vault.
Step 3 β Key management and cryptographic requirements
Keys are the control point. Use a KMS or HSM with logging and role separation: restrict who can use, not just who can view keys. Enforce cryptographic algorithms that meet federal guidance (AES-256-GCM for symmetric at-rest, RSA-2048+/EC-256 where asymmetric is required). Implement automated rotation (e.g., annually or per policy), back up key material per vendor guidance, and keep rotation and access events logged in tamper-evident logs (CloudTrail, Azure Monitor, Cloud Logging). For the highest assurance, use FIPS 140-2/3-validated modules or CloudHSM when required by the contract.
Step 4 β SaaS-specific controls, metadata, and client-side options
SaaS apps often protect content differently from object storage. For SaaS that supports it, deploy: customer-managed encryption keys, tenant-level encryption settings, tenant isolation features, and endpoint protection. Consider client-side (end-to-end) encryption for particularly sensitive CUI where the SaaS provider cannot be entrusted with plaintext or key material β use envelope encryption libraries, open-source SDKs, or third-party gateways. Also audit service metadata and previews (filenames, thumbnails) that may leak CUI; disable thumbnail generation and public sharing links where appropriate.
Access control, monitoring, and operational evidence
Limit who can access encrypted CUI with least-privilege IAM roles (use conditional access and MFA), enforce separation of duties for key administrators vs. data administrators, and enable detailed access logging. Configure alerts for anomalous reads/downloads (e.g., sudden large pulls from a bucket). Maintain an audit trail that links key usage, access events, and change management (when encryption settings were changed). Capture this evidence in the SSP and include screenshots, policy snippets, and log extracts to show auditors continuous enforcement.
Compliance tips, best practices and risk of not implementing
Best practices: require your cloud or SaaS provider to have an attestation (FedRAMP, SOC 2 Type II) and include encryption/key-handling SLAs in contracts; document decisions and residual risks in your Plan of Action and Milestones (POA&M); perform periodic configuration scans and penetration tests on data flows; and train staff on CUI handling. The risk of not implementing these controls includes unauthorized disclosure of CUI, contract termination, financial penalties, loss of future government work, and reputation damage. In practice, data exfiltration through misconfigured buckets or weak key controls is the most common failure mode for small firms.
Summary: To meet SC.L2-3.13.16 you must (1) know where CUI lives, (2) apply strong encryption at rest across cloud and SaaS, (3) control and log key operations using a hardened KMS/HSM, (4) harden SaaS configuration and limit metadata leakage, and (5) produce consistent operational evidence (SSP, logs, policies). Implement the checklist steps, use provider-specific examples above, record decisions in your SSP/POA&M, and you will substantially reduce risk and be well-positioned for NIST SP 800-171 / CMMC Level 2 assessment.
