This objective ensures your organization has formally documented where and how cryptography is used to protect Controlled Unclassified Information (CUI) at rest on system components. This documentation must show what encryption methods, tools, and standards are applied to storage devices and media.