What is NIST 800-53 SC-28?

NIST 800-53 SC-28 (Protection of Information at Rest) requires: Protect the confidentiality and integrity of information at rest. This is a critical-severity control.

How does EchelonGraph detect NIST 800-53 SC-28 violations?

EchelonGraph automatically detects NIST 800-53 SC-28 violations using scanner rule NIST-SC-028. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for NIST 800-53 SC-28?

What percentage of cloud storage is encrypted at rest? Are customer-managed keys used or default provider keys? What is the key rotation cadence? Show recent encryption-coverage report.

🏛️NIST 800-53 SC-28Rule: NIST-SC-028critical

Protection of Information at Rest

Description

Protect the confidentiality and integrity of information at rest.

⚠️ Risk Impact

Unencrypted data at rest survives every other security control. Encryption is the last line of defense — when an attacker reaches data storage, encryption is what determines whether they have data or ciphertext.

🔍 How EchelonGraph Detects This

NIST-SC-028Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as critical-severity findings with remediation guidance.

🔧 Remediation

Enable default encryption at rest on every cloud database, storage bucket, and disk. Use customer-managed keys (CMK) where possible. Enable key rotation. Document encryption inventory.

💀 Real-World Attack Scenario

A misconfigured S3 bucket was discovered to be public for 8 months. It contained 200K customer files. The bucket had server-side encryption (SSE-S3) enabled — but anonymous public access bypassed the encryption (anyone could read the decrypted content). Encryption at rest doesn't compensate for access misconfiguration; the company faced $2.4M in regulatory fines + customer-notification costs.

💰 Cost of Non-Compliance

Unencrypted data-at-rest in cloud incidents: avg cost $5.1M (IBM 2024). HIPAA failure: $1.5M-$50M per incident depending on size. PCI-DSS 3.4 failure: $5K-$100K/month.

📋 Audit Questions

1.What percentage of cloud storage is encrypted at rest?
2.Are customer-managed keys used or default provider keys?
3.What is the key rotation cadence?
4.Show recent encryption-coverage report.

🎯 MITRE ATT&CK Mapping

T1530 — Data from Cloud Storage

⚡ Common Pitfalls

⛔Default encryption disabled 'temporarily' for performance reasons
⛔Encryption at rest but no key rotation policy
⛔Bring-your-own-key (BYOK) without an inventory of which workloads use which keys

📈 Business Value

Encryption at rest is the final defense. When access controls fail (and they will), encryption determines whether the breach is a contained incident or a catastrophe.

⏱️ Effort Estimate

Manual

16-40 hours for encryption posture review + remediation

With EchelonGraph

EchelonGraph evaluates encryption posture across all storage; flags unencrypted resources

🔗 Cross-Framework References

SOC2-CC6.1PCI-3.4HIPAA-164.312(a)(2)(iv)

Automate NIST 800-53 SC-28 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →