CMMC Practice SC.3.191
Protect the confidentiality of CUI at rest.
Bold Coast Security Guidance
The practices required for true compliance here include encryption, physical control, the use of Access Control Lists (ACLs), managed data stores, monitoring of network activity and the movement of data, and others. Level 3 compliance means the organization has reached a level of maturity that these are formalized in a plan that is required by policy.
DRAFT NIST SP 800-17 R2
Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of
the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning.
Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest.