Access Control 3.1.18 (3.1.18)

Control connection of mobile devices.

Get Full Guidance

What Is This CMMC Control?

Organizations must establish and enforce policies and technical controls that govern how mobile devices (smartphones, tablets, e-readers) connect to and interact with systems that process, store, or transmit CUI. This includes defining which devices are allowed, how they authenticate, what security configurations they must have, and what restrictions apply to their use. The control recognizes that mobile devices present unique security challenges due to their portability, wireless capabilities, and diverse technical characteristics.

Control Intent

To mitigate risks associated with mobile devices accessing organizational systems and CUI, including unauthorized access, malware introduction, data leakage, and loss or theft of devices containing sensitive information.

Who This Control Applies To

  • Organizations that allow any mobile devices (employee-owned or organization-issued) to connect to systems processing CUI
  • Environments where mobile devices access email, file shares, applications, or networks containing CUI
  • Remote access scenarios where mobile devices serve as endpoints for VPN or remote desktop connections
  • BYOD (Bring Your Own Device) programs where personal devices access organizational resources
  • Organizations using mobile device management (MDM) or enterprise mobility management (EMM) solutions

Not Applicable When

  • No mobile devices of any kind are permitted to connect to systems processing CUI (complete prohibition enforced technically)
  • The organization has no systems that process, store, or transmit CUI
  • Mobile devices exist but have no technical capability to connect to any CUI systems (air-gapped environments with enforced physical controls)

Key Objectives

  • 1Prevent unauthorized mobile devices from connecting to systems processing CUI
  • 2Ensure mobile devices connecting to CUI systems meet minimum security configuration requirements
  • 3Protect CUI from unauthorized disclosure or compromise through mobile device vulnerabilities
  • 4Maintain visibility and control over mobile device connections to organizational resources

Sample Self-Assessment Questions (Partial)

Are mobile devices (smartphones, tablets, e-readers) allowed to connect to your organization's systems or networks?

Do employees use mobile devices to access work email, files, or applications?

Implementation Approaches (High-Level)

Mobile Device Management (MDM) with Conditional Access

Deploy MDM/EMM solution that enforces device compliance before allowing connection to CUI systems. Integrate with identity provider and network access controls to create conditional access policies.

Network Access Control (NAC) with Device Profiling

Use NAC solution to identify, profile, and control mobile device connections at the network layer. Assign mobile devices to restricted VLANs or deny access based on device type and compliance status.

Application-Level Mobile Access Management

Control mobile device access at the application layer using mobile application management (MAM) and per-app VPN. Focus on securing specific applications rather than entire device.

Certificate-Based Device Authentication

Issue unique digital certificates to authorized mobile devices and require certificate-based authentication for all connections to CUI systems.

Mobile Device Prohibition with Compensating Controls

Completely prohibit mobile device connections to CUI systems and provide alternative access methods for legitimate mobile workforce needs.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If mobile devices currently connect without MDM or technical controls, create POA&M for MDM implementation with milestone for enrollment of all devices within 90-180 days If BYOD is permitted without adequate controls, create POA&M for either implementing MAM/containerization or transitioning to corporate-owned devices If mobile device inventory is incomplete, create POA&M for discovery and cataloging of all mobile devices with access to CUI systems If remote wipe capability does not exist, create POA&M for implementing MDM with remote wipe within 60-90 days If mobile devices are not required to meet minimum security configurations, create POA&M for defining and enforcing baseline requirements If conditional access or NAC is not implemented, create POA&M for technical enforcement of mobile device restrictions If jailbroken/rooted devices are not detected and blocked, create POA&M for implementing detection and blocking mechanisms If mobile device connections are not logged or monitored, create POA&M for implementing logging and periodic review Compensating controls for POA&M period may include: restricting mobile device access to non-CUI systems only, requiring VPN with MFA for all mobile connections, enhanced monitoring of mobile device activities, or temporary prohibition of mobile device connections until controls are implemented POA&M should address both technical implementation and policy/procedure development Consider phased approach: pilot MDM with small user group, expand to all users, then enforce compliance requirements Include user training and change management in POA&M timeline as mobile device controls often face user resistance

Related CMMC Controls

AC.L2-3.1.1 - Authorized Access Control (mobile device authentication)AC.L2-3.1.2 - Transaction and Function Control (restricting mobile device capabilities)AC.L2-3.1.3 - Information Flow Enforcement (segregating CUI on mobile devices)AC.L2-3.1.20 - External Connections (mobile devices as external systems)AC.L2-3.1.22 - Publicly Accessible Content (preventing CUI exposure via mobile devices)CM.L2-3.4.1 - Baseline Configurations (mobile device security baselines)CM.L2-3.4.2 - Configuration Change Control (managing mobile device configuration changes)IA.L2-3.5.1 - Identification (mobile device identification)IA.L2-3.5.2 - Authentication (mobile device authentication mechanisms)SC.L2-3.13.11 - Cryptographic Protection (mobile device encryption)SC.L2-3.13.16 - Data at Rest Protection (protecting CUI stored on mobile devices)SI.L2-3.14.1 - Flaw Remediation (mobile device patching)SI.L2-3.14.2 - Malicious Code Protection (mobile device anti-malware)SI.L2-3.14.4 - Update Malicious Code Protection (mobile device security updates)MP.L2-3.8.3 - Media Disposal (mobile device sanitization and disposal)

Frequently Asked Questions

Does this control require us to prohibit all mobile devices from accessing our systems?

No. The control requires you to 'control' mobile device connections, not necessarily prohibit them. You must establish and enforce policies and technical controls that govern how mobile devices connect and what security requirements they must meet. Complete prohibition is one acceptable approach, but most organizations implement MDM or similar controls to allow secure mobile device access.

Do we need MDM if we only allow a few mobile devices to access email?

While MDM is the most common implementation, the control does not explicitly require it. However, you must have some technical mechanism to enforce your mobile device security requirements. For small numbers of devices, alternatives might include certificate-based authentication, network access control, or application-level controls. Policy alone without technical enforcement is insufficient.

Are personal devices (BYOD) allowed under this control?

The control does not prohibit BYOD, but it requires the same level of control over personal devices as corporate-owned devices. If you allow BYOD, you must implement controls such as MDM, MAM, or containerization to protect CUI and enforce security requirements. Many organizations find BYOD more challenging to control and opt for corporate-owned devices only.

What happens if an employee loses their mobile device that accesses CUI?

You must have the capability to remotely wipe or disable the device to prevent unauthorized access to CUI. This is typically accomplished through MDM remote wipe functionality. The control's emphasis on device management implicitly requires this capability. You should also have an incident response process for lost/stolen devices including immediate revocation of access credentials.

Do tablets and e-readers fall under this control even if they are not phones?

Yes. The control explicitly includes tablets and e-readers in its definition of mobile devices. Any computing device with a small form factor, wireless capability, local data storage, and self-contained power source is considered a mobile device regardless of whether it has voice communication capabilities.

Can we allow mobile devices to connect via VPN without other controls?

VPN alone is insufficient. While VPN provides encrypted transport, it does not address the mobile device-specific risks this control targets (device loss/theft, malware, unauthorized apps, lack of encryption, etc.). You must implement additional controls such as device compliance verification, security configuration enforcement, and remote wipe capability even when VPN is used.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.