PR.DS-01 Data-at-Rest Protection - NIST CSF 2.0 Checklist

PR.DS-01 requires organizations to the confidentiality, integrity and availability of data-at-rest are protected. This NIST CSF 2.0 control falls under the Protect (PR) function and the Data Security category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: PR.DS-01
Title: Data-at-Rest Protection
Function: Protect (PR)
Category: Data Security
Framework: NIST CSF 2.0

The confidentiality, integrity and availability of data-at-rest are protected.

The confidentiality, integrity and availability of data-at-rest are protected. This includes encryption, access controls and integrity verification for stored data across all storage media.

Why This Matters

Data at rest is vulnerable to theft through physical access, insider threats and breach of storage systems. Encryption ensures that stolen data remains unreadable without the decryption keys.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of PR.DS-01.

Encrypt all sensitive data at rest using AES-256 or equivalent
Implement full-disk encryption on all endpoints and mobile devices
Encrypt database fields containing personally identifiable information
Manage encryption keys through a dedicated key management system
Verify encryption is active on cloud storage services and backups
Test data recovery from encrypted backups annually

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with PR.DS-01 during an audit.

Encryption policy specifying algorithms and key lengths
Endpoint encryption deployment reports showing coverage
Key management system configuration and access logs
Cloud storage encryption configuration screenshots
Backup restoration test results

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with PR.DS-01.

Endpoints have full-disk encryption but database encryption is not implemented
Encryption keys are stored alongside the encrypted data
Cloud storage buckets are created without encryption enabled by default

FAQ

What does PR.DS-01 require?

PR.DS-01 (Data-at-Rest Protection) requires that the confidentiality, integrity and availability of data-at-rest are protected. This includes encryption, access controls and integrity verification for stored data across all storage media. This control is part of the NIST CSF 2.0 Protect function under the Data Security category.

How do I prove compliance with PR.DS-01?

To demonstrate compliance with PR.DS-01, prepare the following evidence: Encryption policy specifying algorithms and key lengths; Endpoint encryption deployment reports showing coverage; Key management system configuration and access logs. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment