NIST 800-53 r5 · Controls catalogue · Family SC
SC-28Protection of Information at Rest
Protect the {{ insert: param, sc-28_odp.01 }} of the following information at rest: {{ insert: param, sc-28_odp.02 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (18)
- aws-config-ec2-ebs-encryption-by-default EBS encryption by default is enabled AWS::EC2::Volume partial
- aws-config-encrypted-volumes EBS volumes are encrypted at rest AWS::EC2::Volume partial
- aws-config-rds-storage-encrypted RDS storage is encrypted AWS::RDS::DBInstance partial
- aws-config-s3-bucket-server-side-encryption-enabled S3 bucket has default server-side encryption AWS::S3::Bucket partial
- aws-config-dynamodb-table-encryption-enabled DynamoDB table uses encryption at rest with KMS AWS::DynamoDB::Table partial
- aws-config-efs-encrypted-check EFS file system is encrypted AWS::EFS::FileSystem partial
- aws-config-elasticache-redis-cluster-automatic-backup-check ElastiCache Redis encrypts data at rest AWS::ElastiCache::ReplicationGroup partial
- aws-config-sns-encrypted-kms SNS topic uses KMS encryption at rest AWS::SNS::Topic partial
- aws-config-sqs-queue-server-side-encryption-enabled SQS queue has server-side encryption enabled AWS::SQS::Queue partial
- aws-config-eks-cluster-secrets-encrypted EKS cluster encrypts Kubernetes secrets at rest with KMS AWS::EKS::Cluster partial
- azure-mcsb-dp-04-storage-encryption Storage account encrypts data at rest Microsoft.Storage/storageAccounts partial
- azure-mcsb-managed-disk-encryption Managed disks are encrypted with customer-managed keys Microsoft.Compute/disks partial
- azure-mcsb-sql-tde Azure SQL DB uses Transparent Data Encryption Microsoft.Sql/servers/databases partial
- azure-mcsb-cosmosdb-encryption Cosmos DB uses customer-managed keys Microsoft.DocumentDB/databaseAccounts partial
- gcp-cis-compute-disk-cmek Persistent disks encrypted with CMEK compute.googleapis.com/Disk partial
- gcp-cis-storage-bucket-cmek Cloud Storage buckets encrypted with CMEK storage.googleapis.com/Bucket partial
- gcp-cis-bigquery-cmek BigQuery datasets encrypted with CMEK bigquery.googleapis.com/Dataset partial
- gcp-cis-cloudsql-encryption Cloud SQL instances use CMEK encryption sqladmin.googleapis.com/Instance partial
ATT&CK techniques this control mitigates (42)
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1003.002 Security Account Manager Credential Access
- T1003.003 NTDS Credential Access
- T1003.004 LSA Secrets Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1003.006 DCSync Credential Access
- T1003.007 Proc Filesystem Credential Access
- T1003.008 /etc/passwd and /etc/shadow Credential Access
- T1005 Data from Local System Collection
- T1025 Data from Removable Media Collection
- T1041 Exfiltration Over C2 Channel Exfiltration
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1052 Exfiltration Over Physical Medium Exfiltration
- T1052.001 Exfiltration over USB Exfiltration
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.001 Default Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.003 Local Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1213 Data from Information Repositories Collection
- T1213.001 Confluence Collection
- T1213.002 Sharepoint Collection
- T1213.004 Customer Relationship Management Software Collection
- T1213.005 Messaging Applications Collection
- T1530 Data from Cloud Storage Collection
- T1550.001 Application Access Token Lateral Movement
- T1552 Unsecured Credentials Credential Access
- T1552.001 Credentials In Files Credential Access
- T1552.002 Credentials in Registry Credential Access
- T1552.003 Shell History Credential Access
- T1552.004 Private Keys Credential Access
- T1565 Data Manipulation Impact
- T1565.001 Stored Data Manipulation Impact
- T1565.003 Runtime Data Manipulation Impact
- T1567 Exfiltration Over Web Service Exfiltration
- T1599 Network Boundary Bridging Defense Impairment
- T1599.001 Network Address Translation Traversal Defense Impairment
- T1602 Data from Configuration Repository Collection
- T1602.001 SNMP (MIB Dump) Collection
- T1602.002 Network Device Configuration Dump Collection
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Encrypting or otherwise protecting data at rest directly prevents unauthorized actors from reading sensitive information stored on disk or other media. |
CWE-522 | Insufficiently Protected Credentials | 1,518 | Requiring confidentiality/integrity protection for stored credentials directly mitigates insufficiently protected credentials on disk or in configuration stores. |
CWE-312 | Cleartext Storage of Sensitive Information | 915 | Requiring confidentiality protection for information at rest eliminates cleartext storage of sensitive data on persistent media. |
CWE-922 | Insecure Storage of Sensitive Information | 421 | The control explicitly requires secure storage mechanisms for sensitive information, closing the insecure-storage weakness class. |
CWE-256 | Plaintext Storage of a Password | 203 | Protection of passwords and credentials at rest forces encryption or equivalent controls instead of plaintext storage. |
CWE-313 | Cleartext Storage in a File or on Disk | 26 | Mandating protection of files and disk-stored data at rest prevents the specific weakness of cleartext storage on disk or in files. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-24263 | 2.0 | 9.8 | 0.0045 | good |
CVE-2025-27650 | 2.0 | 9.8 | 0.0013 | good |
CVE-2026-22906 | 2.0 | 9.8 | 0.0006 | good |
CVE-2025-25650 | 1.8 | 9.1 | 0.0028 | good |
CVE-2021-47961 | 1.6 | 8.1 | 0.0004 | good |
CVE-2024-41336 | 1.5 | 7.5 | 0.0013 | good |
CVE-2026-35467 | 1.5 | 7.5 | 0.0003 | good |
CVE-2025-27685 | 1.5 | 7.5 | 0.0007 | good |
CVE-2026-33867 | 1.5 | 7.5 | 0.0001 | good |
CVE-2026-35556 | 1.5 | 7.5 | 0.0004 | good |
CVE-2025-21102 | 1.5 | 7.5 | 0.0005 | good |
CVE-2025-36258 | 1.4 | 7.1 | 0.0001 | good |
CVE-2024-23942 | 1.4 | 7.1 | 0.0003 | good |
CVE-2024-55928 | 1.3 | 6.5 | 0.0016 | good |
CVE-2025-22896 | 3.7 | 8.6 | 0.3324 | good |
CVE-2025-12539 | 2.0 | 10.0 | 0.0072 | good |
CVE-2025-27154 | 2.0 | 9.8 | 0.0024 | good |
CVE-2025-27663 | 2.0 | 9.8 | 0.0033 | partial |
CVE-2025-0497 | 2.0 | 9.8 | 0.0011 | good |
CVE-2025-0498 | 2.0 | 9.8 | 0.0014 | good |
CVE-2025-27595 | 2.0 | 9.8 | 0.0010 | good |
CVE-2026-21660 | 2.0 | 9.8 | 0.0005 | good |
CVE-2025-55619 | 2.0 | 9.8 | 0.0014 | good |
CVE-2025-52579 | 1.9 | 9.4 | 0.0020 | good |
CVE-2026-23658 | 1.7 | 8.6 | 0.0010 | good |