Device Class 2: Protection Of Information At Rest

Control ID: SC-28 Protection Of Information At Rest Family: System and Communications Protection Source: NIST 800-53r4
Control: The information system protects the confidentiality and integrity of [Assignment: organization-defined information at rest].
Supplemental Guidance:
This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest.

Related Controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7
Control Enhancements:
(2) Protection Of Information At Rest | Cryptographic Protection
The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [any information] on [any device].
Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions.
Related Controls: AC-19, SC-12

(1) Protection Of Information At Rest | Cryptographic Protection
The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [any information] on the device.
Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions.
Related Controls: N/A
References: N/A
Mechanisms:

  • The device shall encrypt data on disk if that data is accessed only by entities with periodic privileged access as defined in Notes on Access Control.
  • The device may encrypt data on disk if that data is accessed by entities with ongoing privileged access or with no privileges .
  • Keys used to encrypt data on disk shall be protected by hardware of at least FIPS 140 level 2 equivalent security, such that they cannot be used other than by booting the device.

Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
SC-28/1 Encrypts data on disk if that data is accessed only by entities with periodic privileged access as defined in 3.2. M
SC-28/2 Encrypts data on disk if that data is accessed by entities with ongoing privileged access or with no privileges O
SC-28/3 Protects keys used to encrypt data on disk with hardware of at least FIPS 140 level 2. M FIPS 140-2