Skip to content
CMMC 2.13
CMMC · Rev 2.132FAMILY AC

AC.L2-3.1.18

Mobile Device Connection

Requirement

Control connection of mobile devices.

Further discussion

Establish guidelines and acceptable requirements for proper configuration, use, and management of mobile devices. Devices that process, store, or transmit CUI must be identified with a device-specific identifier. There are many different types of identifiers, and it is important to select one that can accommodate all devices and be used in a consistent manner. These identifiers are important for facilitating the required monitoring and logging function. In addition to smartphones, consider the security of other portable devices such as e-readers and tablets. AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary requirements in that they all establish control for the connection of mobile devices and wireless devices through the use of authentication, authorization, and encryption mechanisms. Example Your organization has a policy stating that all mobile devices, including iPads, tablets, mobile phones, and Personal Digital Assistants (PDAs), must be approved and registered with the IT department before connecting to the network that contains CUI. The IT department uses a Mobile Device Management solution to monitor mobile devices and enforce policies across the enterprise [b,c]. Potential Assessment Considerations • Is a list of mobile devices that are permitted to process, store, or transmit CUI maintained [a,b]? • Is the system configured to only permit connections from identified, authorized mobile devices [b]?

Supporting controls

NIST 800-171 · Rev 21 mapped

Create a free account or log in to view the cross-referenced controls.

Implementation strategies

10 recommended strategies for this practice.

Create a free account or log in to view the implementation strategies.

Source: DoD CIO · https://dodcio.defense.gov/CMMC/