CMMC 2.13
CMMC · Rev 2.132FAMILY AC
AC.L2-3.1.18
Mobile Device Connection
Requirement
Control connection of mobile devices.
Further discussion
Establish guidelines and acceptable requirements for proper configuration, use, and management of mobile devices. Devices that process, store, or transmit CUI must be identified with a device-specific identifier. There are many different types of identifiers, and it is important to select one that can accommodate all devices and be used in a consistent manner. These identifiers are important for facilitating the required monitoring and logging function.
In addition to smartphones, consider the security of other portable devices such as e-readers and tablets.
AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary requirements in that they all establish control for the connection of mobile devices and wireless devices through the use of authentication, authorization, and encryption mechanisms.
Example
Your organization has a policy stating that all mobile devices, including iPads, tablets, mobile phones, and Personal Digital Assistants (PDAs), must be approved and registered with the IT department before connecting to the network that contains CUI. The IT department uses a Mobile Device Management solution to monitor mobile devices and enforce policies across the enterprise [b,c].
Potential Assessment Considerations
• Is a list of mobile devices that are permitted to process, store, or transmit CUI maintained [a,b]?
• Is the system configured to only permit connections from identified, authorized mobile devices [b]?
Supporting controls
NIST 800-171 · Rev 21 mapped
Create a free account or log in to view the cross-referenced controls.
Implementation strategies
10 recommended strategies for this practice.
Create a free account or log in to view the implementation strategies.
Source: DoD CIO · https://dodcio.defense.gov/CMMC/