CMMC 2.13
CMMC · Rev 2.132FAMILY AC
AC.L2-3.1.19
Encrypt CUI on Mobile
Requirement
Encrypt CUI on mobile devices and mobile computing platforms.
Further discussion
Ensure CUI is encrypted on all mobile devices and mobile computing platforms that process, store, or transmit CUI including smartphones, tablets, and e-readers.
Because the use of cryptography in this requirement is to protect the confidentiality of CUI, the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11.
This requirement, AC.L2-3.1.19, specifies that CUI be encrypted on mobile devices and extends three other CUI protection requirements (MP.L2-3.8.1, MP.L2-3.8.2, and SC.L2-3.13.16):
• MP.L2-3.8.1 requires that media containing CUI be protected.
• MP.L2-3.8.2 limits access to CUI to authorized users.
• Finally, SC.L2-3.13.16 requires confidentiality of CUI at rest.
This requirement, AC.L2-3.1.19, also leverages SC.L2-3.13.11, which specifies that the algorithms used must be FIPS-validated cryptography, and SC.L2-3.13.10, which specifies that any cryptographic keys in use must be protected.
Example
You are in charge of mobile device security for a company that processes CUI. You configure all laptops to use the full-disk encryption technology built into the operating system. This approach is FIPS-validated and encrypts all files, folders, and volumes.
Phones and tablets pose a greater technical challenge with their wide range of manufacturers and operating systems. You select a proprietary mobile device management (MDM) solution to enforce FIPS-validated encryption on those devices [a,b].
Potential Assessment Considerations
• Is a list maintained of mobile devices and mobile computing platforms that are permitted to process, store, or transmit CUI [a]?
• Is CUI encrypted on mobile devices using FIPS-validated algorithms [b]?
Supporting controls
NIST 800-171 · Rev 21 mapped
Create a free account or log in to view the cross-referenced controls.
Implementation strategies
10 recommended strategies for this practice.
Create a free account or log in to view the implementation strategies.
Source: DoD CIO · https://dodcio.defense.gov/CMMC/