| Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. |
If no information is identified as requiring such protection, this is not a finding.
Review the configuration of the DBMS, operating system/file system, and additional software as relevant.
If any of the information defined as requiring cryptographic protection from modification is not encrypted in a manner that provides the required level of protection, this is a finding.