AC.L2-3.1.18  

Reference: CMMC v2.13

Family: AC

Level Introduced: 2

Title: Mobile Device Connection

Practice:
Control connection of mobile devices.

Further Discussion:
Establish guidelines and acceptable requirements for proper configuration, use, and management of mobile devices. Devices that process, store, or transmit CUI must be identified with a device-specific identifier. There are many different types of identifiers, and it is important to select one that can accommodate all devices and be used in a consistent manner. These identifiers are important for facilitating the required monitoring and logging function.

In addition to smartphones, consider the security of other portable devices such as e-readers and tablets.

AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary requirements in that they all establish control for the connection of mobile devices and wireless devices through the use of authentication, authorization, and encryption mechanisms.

Example
Your organization has a policy stating that all mobile devices, including iPads, tablets, mobile phones, and Personal Digital Assistants (PDAs), must be approved and registered with the IT department before connecting to the network that contains CUI. The IT department uses a Mobile Device Management solution to monitor mobile devices and enforce policies across the enterprise [b,c].

Potential Assessment Considerations
• Is a list of mobile devices that are permitted to process, store, or transmit CUI maintained [a,b]?
• Is the system configured to only permit connections from identified, authorized mobile devices [b]?

Source: CMMC v2.13