3.1.19—Access Control - Derived
Derived Requirement
>Control Description
Encrypt CUI on mobile devices and mobile computing platforms.[23]
>Discussion
Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including encrypting selected data structures such as files, records, or fields. See [NIST CRYPTO]. [23] Mobile devices and computing platforms include, for example, smartphones and tablets.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern encryption of CUI on mobile devices?
- •What procedures ensure mobile devices are properly encrypted?
- •Who is responsible for enforcing mobile device encryption?
- •What approval process exists for mobile device exemptions?
- •How often are mobile device security controls reviewed?
Technical Implementation:
- •What mobile device management (MDM) solution enforces encryption?
- •How do you verify all mobile devices containing CUI are encrypted?
- •What encryption standards are enforced for mobile devices?
- •How do you prevent unencrypted mobile devices from accessing CUI?
- •What controls detect and remediate unencrypted mobile devices?
Evidence & Documentation:
- •Can you provide MDM reports showing device encryption status?
- •What evidence demonstrates all CUI-accessing devices are encrypted?
- •Can you show encryption policies pushed to mobile devices?
- •What audit logs track mobile device compliance?
- •What documentation proves encryption enforcement for mobile devices?
Ask AI
Configure your API key to use AI features.