AC.L2-3.1.19: Encrypt CUI on mobile devices and mobile computing platforms

📖 What This Means

This control requires that any Controlled Unclassified Information (CUI) stored on mobile devices or mobile computing platforms (such as laptops, tablets, and smartphones) be encrypted. Encryption ensures that if the device is lost or stolen, the data cannot be accessed without the encryption key. This is important because mobile devices are more susceptible to theft or loss due to their portability. For example, if an employee leaves their laptop in a coffee shop, encryption ensures that sensitive information on that laptop remains secure. Similarly, if a company-issued smartphone is lost, encryption protects any CUI stored on it.

🎯 Why It Matters

The primary risk this control addresses is the unauthorized access to CUI if a mobile device is lost or stolen. According to a 2020 study, 70% of data breaches involve portable devices. Without encryption, sensitive data can be easily accessed, leading to potential data breaches, financial loss, and damage to the organization's reputation. From the DoD/CMMC perspective, ensuring CUI is encrypted on mobile devices is critical to protecting national security information and maintaining compliance with federal regulations.

✅ How to Implement

Ensure all mobile devices accessing cloud services have encryption enabled.
Use Mobile Device Management (MDM) solutions like Microsoft Intune or VMware Workspace ONE to enforce encryption policies.
Configure cloud applications to require encryption for data synchronization to mobile devices.
Regularly audit mobile device encryption status through cloud management consoles.
Provide training to users on how to maintain encryption on their devices.

⏱️

Estimated Effort

Implementation can take 2-3 days for initial setup and configuration, with ongoing maintenance requiring 1-2 hours per month. Skill level required: Intermediate IT knowledge.

📋 Evidence Examples

Encryption Policy Document

Format: PDF

Frequency: Annually

Contents: Policy detailing encryption requirements for mobile devices

Collection: Document review

Encryption Configuration Screenshots

Format: PNG/JPG

Frequency: Quarterly

Contents: Screenshots showing encryption settings on devices

Collection: System audit

Encryption Status Logs

Format: CSV/Log

Frequency: Monthly

Contents: Logs showing encryption status of all devices

Collection: Automated log export

Training Records

Format: Excel/PDF

Frequency: Annually

Contents: Records of employee training on encryption policies

Collection: HR records

Audit Report

Format: PDF

Frequency: Semi-annually

Contents: Report detailing encryption compliance status

Collection: Internal audit

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For AC.L2-3.1.19 ("Encrypt CUI on mobile devices and mobile computing platforms"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how access to CUI systems is controlled, including the specific IAM tools, policies, and processes used. Reference your Access Control Policy and identify the systems in scope. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"AC.L2-3.1.19 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to encrypt cui on mobile devices and mobile computing platforms. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"AC.L2-3.1.19 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to encrypt cui on mobile devices and mobile computing platforms. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"AC.L2-3.1.19 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Identify all access points to CUI systems (VPN, direct network, cloud portals)
• Document which IAM system manages access (Azure AD, AWS IAM, on-prem AD)
• Map user roles to system access levels
• Ensure this control covers all systems within your defined CUI boundary where encrypt cui on mobile devices and mobile computing platforms applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 Access Control Policy
📄 IAM configuration documentation
📄 Access request and approval records
📄 Evidence artifacts specific to AC.L2-3.1.19
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will verify that access controls are implemented as described, test whether unauthorized users are blocked, and review access logs for evidence of enforcement.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do all mobile devices storing CUI have encryption enabled?

✅ YES → Proceed to next question

❌ NO → GAP: Enable encryption on all devices. Timeline: 1 week

Remediation:

Enable encryption using tools like BitLocker or FileVault.

Question 2: Is encryption enforced through a Mobile Device Management (MDM) solution?

✅ YES → Proceed to next question

❌ NO → GAP: Implement MDM solution. Timeline: 2 weeks

Remediation:

Deploy MDM solution like Microsoft Intune or VMware Workspace ONE.

Question 3: Are encryption policies documented and communicated to employees?

✅ YES → Proceed to next question

❌ NO → GAP: Document and communicate policies. Timeline: 1 week

Remediation:

Create and distribute encryption policy document.

Question 4: Are regular audits conducted to verify encryption compliance?

✅ YES → Proceed to next question

❌ NO → GAP: Schedule regular audits. Timeline: 1 month

Remediation:

Set up automated log exports and regular audits.

Question 5: Is employee training on encryption policies up-to-date?

✅ YES → Full compliance confirmed

❌ NO → GAP: Update training records. Timeline: 1 week

Remediation:

Conduct training sessions and update records.

⚠️ Common Mistakes (What Auditors Flag)

1. Not encrypting all mobile devices

Why this happens: Overlooking some devices or assuming encryption is enabled by default

How to avoid: Conduct a thorough inventory and verify encryption status on all devices.

2. Inconsistent enforcement of encryption policies

Why this happens: Lack of centralized management tools

How to avoid: Use MDM solutions to enforce policies uniformly.

3. Lack of documentation

Why this happens: Focusing solely on technical implementation

How to avoid: Document all policies and procedures related to encryption.

4. Failure to conduct regular audits

Why this happens: Assuming encryption is a one-time setup

How to avoid: Schedule and automate regular encryption status checks.

5. Inadequate employee training

Why this happens: Underestimating the importance of user awareness

How to avoid: Provide regular training sessions and updates on encryption policies.

📚 Parent Policy

This practice is governed by the Access Control Policy

View AC Policy →

📚 Related Controls

AC.L2-3.1.20 AC.L2-3.1.21 AC.L2-3.1.22