AC.L2-3.1.18  

Reference: CMMC 2.0

Family: AC

Level Introduced: 2

Title: Mobile Device Connection

Practice:
Control connection of mobile devices.

CMMC Clarification:
Organizations should establish guidelines and acceptable practices for the proper configuration and use of mobile devices. First the device must be identified. The availability of a unique identifier is going to depend on the device vendor, and the openness of the vendor's API, whether or not the device is under EMM/MDM control and, if so, the approach used by the developer of the EMM/MDM. There are many different types of identifiers (e.g., UDID, UUID, Android ID, IMEI, MAC Address, serial number, MDM generated ID) that can be used to identify the device, and an organization must choose an approach that applies under their specific circumstances. Once the device is identified and authenticated, it is checked to ensure it complies with appropriate configuration settings and software versions for the operating system and applications. At the same time the device is checked to ensure anti-virus software is running with current definitions. Finally, hardware configurations are checked to ensure any disallowed features are turned off.

Example
Your organization has a policy that provides guidelines for using mobile devices such as iPads, tablets, mobile phones, PDAs. It states that all mobile devices must be approved and registered with the IT department before connecting to the network. The IT department uses a Mobile Device Management solution to monitor mobile devices and enforce policies across the enterprise.

Source: CMMC v2.0