CMMC Practice Requirement:

Protect the confidentiality of “Controlled Unclassified Information” (CUI) at rest.

CMMC Requirement Explanation:

Information at rest refers to the state of information when it is located on storage devices. Examples include hard drives, USB thumb drives, and CDs. If these devices contain “Controlled Unclassified Information” (CUI) they

Example CMMC Implementation:

Create a policy requiring the encryption of “Controlled Unclassified Information” (CUI) at rest. Use full drive encryption on any workstations and servers that could potentially store “Controlled Unclassified Information” (CUI). Encrypt any external drives containing “Controlled Unclassified Information” (CUI).


- Scenario 1:

Your employees often handle “Controlled Unclassified Information” (CUI) on their Windows workstations. To ensure that the “Controlled Unclassified Information” (CUI) is protected you enable Bitlocker drive encryption on all workstations.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance