Skip to main content
NetStable
Level 2 AC.L2-3.1.18

Control connection of mobile devices

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This control requires organizations to manage and restrict how mobile devices connect to their systems and networks. Mobile devices include smartphones, tablets, and laptops that can access organizational resources. The goal is to ensure that only authorized devices can connect, reducing the risk of unauthorized access or data breaches. For example, an employee’s personal smartphone should not be able to connect to the company’s Wi-Fi without proper security checks. Similarly, a contractor’s tablet should only access specific files if it meets the organization’s security standards. This control helps protect sensitive information from being accessed or stolen through insecure mobile connections.

🎯 Why It Matters

Uncontrolled mobile device connections can lead to significant security risks, such as unauthorized access to sensitive data, malware infections, and data breaches. For instance, in 2021, a major healthcare provider suffered a breach when an employee’s compromised smartphone accessed patient records, exposing thousands of sensitive records. The financial impact of such breaches can be substantial, often exceeding millions in fines, legal fees, and reputational damage. From a DoD/CMMC perspective, this control is critical because mobile devices are often used to access Controlled Unclassified Information (CUI). Ensuring secure connections minimizes the risk of CUI being compromised, aligning with DoD’s cybersecurity requirements.

How to Implement

  1. Enable Mobile Device Management (MDM) solutions like Microsoft Intune or AWS WorkSpaces.
  2. Configure Conditional Access Policies in Azure AD to restrict device connections based on compliance status.
  3. Enforce Multi-Factor Authentication (MFA) for mobile device access to cloud resources.
  4. Implement Network Access Control (NAC) to allow only authorized devices to connect to cloud services.
  5. Regularly audit and update mobile device policies to ensure compliance.
⏱️
Estimated Effort
Implementation typically takes 2-3 days for small organizations, requiring intermediate IT skills for configuration and deployment.

📋 Evidence Examples

Mobile Device Management Policy

Format: PDF
Frequency: Annually or when significant changes occur.
Contents: Document outlining approved devices, connection requirements, and security measures.
Collection: Create/update the policy in collaboration with IT and security teams.

MDM Configuration Screenshots

Format: PNG/JPG
Frequency: Quarterly or after policy updates.
Contents: Screenshots showing device compliance policies and access restrictions.
Collection: Capture screenshots from MDM console.

Access Logs

Format: CSV
Frequency: Monthly.
Contents: Logs showing mobile device connections and authentication attempts.
Collection: Export logs from MDM or NAC solution.

Testing Results

Format: PDF
Frequency: Semi-annually.
Contents: Documentation of tests verifying unauthorized devices cannot connect.
Collection: Conduct tests and document results.

Training Records

Format: Excel
Frequency: Annually.
Contents: Records of employees trained on mobile device security policies.
Collection: Track attendance in training sessions.

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For AC.L2-3.1.18 ("Control connection of mobile devices"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how access to CUI systems is controlled, including the specific IAM tools, policies, and processes used. Reference your Access Control Policy and identify the systems in scope. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"AC.L2-3.1.18 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to control connection of mobile devices. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"AC.L2-3.1.18 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to control connection of mobile devices. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"AC.L2-3.1.18 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify all access points to CUI systems (VPN, direct network, cloud portals)
  • Document which IAM system manages access (Azure AD, AWS IAM, on-prem AD)
  • Map user roles to system access levels
  • Ensure this control covers all systems within your defined CUI boundary where control connection of mobile devices applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Access Control Policy
  • 📄 IAM configuration documentation
  • 📄 Access request and approval records
  • 📄 Evidence artifacts specific to AC.L2-3.1.18
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will verify that access controls are implemented as described, test whether unauthorized users are blocked, and review access logs for evidence of enforcement.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a Mobile Device Management (MDM) solution in place?

✅ YES → Proceed to Q2.
❌ NO → GAP: Implement an MDM solution like Microsoft Intune or Jamf Pro within 30 days.
Remediation:
Select and deploy an MDM solution; document the process.

Question 2: Are mobile devices required to meet specific security standards before connecting?

✅ YES → Proceed to Q3.
❌ NO → GAP: Define and enforce security standards (e.g., encryption, OS updates) within 14 days.
Remediation:
Update MDM policies to enforce security standards.

Question 3: Are unauthorized mobile devices blocked from accessing the network?

✅ YES → Proceed to Q4.
❌ NO → GAP: Configure NAC or firewall rules to block unauthorized devices within 7 days.
Remediation:
Update network configuration and test.

Question 4: Are mobile device connections logged and monitored?

✅ YES → Proceed to Q5.
❌ NO → GAP: Enable logging in MDM or NAC solution within 7 days.
Remediation:
Configure logs and verify they are captured.

Question 5: Are employees trained on mobile device security policies?

✅ YES → Compliance confirmed.
❌ NO → GAP: Conduct employee training within 30 days.
Remediation:
Schedule and document training sessions.

⚠️ Common Mistakes (What Auditors Flag)

1. Not enforcing device compliance before allowing access.

Why this happens: Lack of MDM configuration or oversight.
How to avoid: Configure MDM to enforce compliance policies and regularly audit connections.

2. Allowing personal devices unrestricted access.

Why this happens: No policy or technical controls in place.
How to avoid: Create a BYOD policy and enforce it through MDM and NAC.

3. Failing to monitor mobile device connections.

Why this happens: Logging not enabled or not reviewed.
How to avoid: Enable logging in MDM and NAC solutions and review logs regularly.

4. Not updating mobile device policies.

Why this happens: Lack of periodic reviews.
How to avoid: Schedule annual policy reviews and updates.

5. Incomplete documentation of mobile device controls.

Why this happens: Focus on technical implementation over documentation.
How to avoid: Document all configurations, policies, and testing results.

📚 Parent Policy

This practice is governed by the Access Control Policy

View AC Policy →

📚 Related Controls

AC.L2-3.1.19 - Encrypt CUI on mobile devices AC.L2-3.1.20 - Use of external systems AC.L2-3.1.21 - Limit use of portable storage devices
Previous
AC.L2-3.1.17
Back to AC
Next
AC.L2-3.1.19