Protecting Controlled Unclassified Information (CUI) at rest is mandatory under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 (Control SC.L2-3.13.16), and this post gives a focused, step-by-step implementation checklist for small businesses working to meet that requirement without disrupting day-to-day operations.
Why this control matters (risk summary)
Data at rest — files, databases, backups, removable media and disk images — is a prime target for theft and accidental loss. Failing to encrypt and properly manage CUI at rest increases the risk of data breaches, contract suspension or termination, regulatory penalties, and reputational harm. For contractors subject to DFARS clauses or other federal agreements, inability to demonstrate compliant protection can result in lost contracts and financial liability.
Step-by-step implementation checklist (high level)
At a glance, implement the control in this order: (1) inventory & classify CUI, (2) select encryption solutions and scope (full-disk, file-level, DB/TDE, cloud SSE/CSE), (3) establish key management (KMS/HSM, rotation, backup), (4) apply access controls and least privilege, (5) secure backups and removable media, (6) enable logging/monitoring and test recovery, and (7) document policies and evidence for audit. The sections below expand each step with technical specifics and practical actions for small teams.
1. Inventory and classify CUI
Practical actions: run file discovery and DLP scans (e.g., open-source tools like Apache Tika + custom scripts, commercial DLP if budget allows) across endpoints, servers and cloud stores to locate CUI. Tag repositories (SharePoint sites, S3 buckets, NAS shares, SQL databases) with metadata indicating CUI presence and owner. For small businesses, start with a simple spreadsheet mapping assets, owner, CUI type and storage location, then prioritize high-risk assets (laptops, backups, cloud buckets) for immediate encryption.
2. Choose the right encryption approach for each asset type
Technical guidance: use full-disk encryption (FDE) for laptops/desktops (BitLocker on Windows with TPM+PIN, FileVault on macOS, LUKS2 with TPM integration on Linux); use file-level or application-level encryption for shared drives and collaborative documents; use Transparent Data Encryption (TDE) for databases (SQL Server TDE, Oracle TDE, PostgreSQL native pgcrypto or file-system level encryption where appropriate); and for cloud storage, prefer provider server-side encryption with customer-managed keys (e.g., AWS SSE-KMS, AWS SSE-C where appropriate, Azure Storage with CMK, GCP CMEK) or client-side encryption when you must retain full key control. Algorithms and profiles: use AES-256 GCM or AES-256 CBC with authenticated modes; ensure cryptographic libraries and modules are FIPS 140-2/3 validated if required by contractual clauses.
3. Implement robust key management
Key management is the control point. Use a centralized KMS or HSM (AWS KMS / CloudHSM, Azure Key Vault HSM, GCP KMS, or an on-premise HSM) to generate, store, and rotate keys. Enforce separation of duties: administrators should not have direct access to plaintext keys. Define and automate key rotation schedule (e.g., rotate data encryption keys annually and wrap them with regularly rotated master keys). Maintain encrypted backups of key material and document key lifecycle procedures. For small businesses, a cloud KMS with restricted IAM roles often provides the best balance of security and cost.
4. Access control, logging, and monitoring
Apply least privilege to decrypt operations: require explicit IAM roles for KMS decrypt, restrict encryption key usage by resource and service, and use conditional access (MFA, device compliance) for administrative actions. Enable detailed logging: KMS access logs, OS auditd/file access logs, cloud object access logs (S3 access logs, CloudTrail), and database audit logs. Forward logs to a centralized SIEM or log collector (Splunk, ELK/Opensearch, or cloud-native solutions) and configure alerts for unusual key usage or mass data exfiltration. Regularly test that encrypted resources are inaccessible without keys and that revoked keys prevent decryption.
5. Backups, removable media, and lifecycle controls
Encrypt backups and removable media with the same or stronger protections as production data; use transparent encryption for backup systems or apply client-side encryption before storage. For portable drives, use hardware-encrypted devices (FIPS-validated where required) or enforce BitLocker-to-Go with a corporate policy. Implement media sanitization workflows and maintain an inventory of devices. For cloud backups, ensure snapshot and backup stores are encrypted with CMKs and that key revocation procedures do not leave data unrecoverable without a documented key escrow process.
Real-world small business example and compliance tips
Example: A 20-person defense subcontractor stores CUI in employee laptops, an on-prem NAS, and an S3 bucket used for build artifacts. Implementation steps: deploy BitLocker with automatic MBAM/Intune escrow of recovery keys tied to company AD; enable S3 SSE-KMS with a company-managed CMK restricting decrypt to an IAM role used by CI runners; enable SQL Server TDE on the build database; configure CloudTrail and GuardDuty for anomalous access; and document the entire design in a System Security Plan (SSP). Tips: prioritize high-value assets first, use cloud-managed services where possible to offload HSM maintenance, schedule tabletop exercises for key compromise and recovery, and collect screenshots and logs as evidence for audits.
Risk of not implementing the requirement
Without properly protecting CUI at rest, organizations are exposed to data theft from lost devices, insider threat, ransomware that exfiltrates data before encryption, and accidental exposure from misconfigured cloud buckets. Noncompliance can trigger contract penalties, loss of facility clearance eligibility, and long remediation timelines that disrupt business operations and revenue streams.
Summary: Meet Control SC.L2-3.13.16 by systematically inventorying CUI, selecting suitable encryption approaches for each storage type, implementing centralized key management with separation of duties, enforcing least privilege and logging, protecting backups and removable media, and documenting controls for audits. For small businesses, pragmatic choices (cloud KMS, FDE on endpoints, TDE for databases) plus an evidence-backed SSP and routine testing will produce a defensible, maintainable posture that satisfies NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 requirements.
