Access Control 3.1.19 (3.1.19)

Encrypt CUI on mobile devices and mobile computing platforms.[23]

Get Full Guidance

What Is This CMMC Control?

Organizations must encrypt Controlled Unclassified Information (CUI) stored on mobile devices like smartphones, tablets, and laptops to prevent unauthorized access if the device is lost, stolen, or compromised. This encryption must protect CUI both at rest and during device operation.

Control Intent

Protect the confidentiality of CUI stored on mobile devices from unauthorized disclosure in the event of device loss, theft, or physical compromise.

Who This Control Applies To

  • All mobile devices (smartphones, tablets, laptops) that store, process, or access CUI
  • Mobile computing platforms used by employees, contractors, or third parties with CUI access
  • Organization-owned and personally-owned (BYOD) devices that handle CUI
  • Removable storage media used with mobile devices containing CUI

Not Applicable When

  • Mobile devices never store, process, or access CUI at any time
  • Devices are used exclusively for non-CUI business functions with technical controls preventing CUI access
  • Thin clients or zero-client devices that store no local data and only provide remote access to CUI systems

Key Objectives

  • 1Ensure CUI stored on mobile devices is encrypted using FIPS-validated cryptographic modules.
  • 2Prevent unauthorized access to CUI if a mobile device is lost, stolen, or physically compromised.
  • 3Implement encryption that activates automatically and does not rely on user action to protect CUI.

Sample Self-Assessment Questions (Partial)

Do any employees, contractors, or third parties access CUI using smartphones, tablets, or laptops?

Are mobile devices configured to automatically encrypt all data stored on the device?

Implementation Approaches (High-Level)

Full-Device Encryption with MDM Enforcement

Enable and enforce full-device encryption (FileVault, BitLocker, Android encryption, iOS Data Protection) on all mobile devices with CUI access, managed and verified through MDM/UEM platforms.

Container-Based Encryption for BYOD

Deploy containerized applications or secure workspace solutions that encrypt only CUI-related data and applications, leaving personal data unencrypted on BYOD devices.

Hybrid Encryption with Conditional Access

Combine full-device encryption for organization-owned devices with container-based encryption for BYOD, enforced through conditional access policies that verify encryption before granting CUI access.

Removable Media Encryption

Encrypt removable storage media (SD cards, USB drives) used with mobile devices to store or transfer CUI, using hardware-encrypted devices or software encryption solutions.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If full-device encryption cannot be immediately deployed, document interim compensating controls such as restricting CUI access to containerized applications only For legacy devices that cannot support FIPS-validated encryption, create a remediation plan with timeline for device replacement or removal from CUI access If MDM/UEM is not yet deployed, prioritize deployment and document manual verification processes used in the interim For BYOD programs without encryption enforcement, document plan to either implement container-based encryption or prohibit BYOD access to CUI If encryption is enabled but FIPS validation is uncertain, document plan to verify cryptographic module compliance and replace non-compliant solutions Include specific milestones: MDM deployment, policy configuration, device enrollment, compliance verification, and remediation of non-compliant devices Address any exceptions or risk acceptances for devices that cannot meet encryption requirements

Related CMMC Controls

3.1.183.13.83.13.113.13.163.4.23.1.13.1.12

Frequently Asked Questions

Does this control require encryption on all mobile devices, or only those that store CUI?

The control applies to mobile devices and mobile computing platforms that store, process, or access CUI. If a device never handles CUI and technical controls prevent CUI access, encryption is not required. However, if a device can access CUI systems (even through email or cloud applications), encryption is typically required to protect cached or downloaded CUI.

Is the built-in encryption on modern smartphones and tablets sufficient to meet this control?

Modern iOS and Android devices include built-in encryption that uses FIPS 140-2 validated cryptographic modules, which generally satisfies this control if properly enabled and enforced. However, organizations must verify encryption is enabled, cannot be disabled by users, and is enforced through MDM policies. Simply having encryption available is not sufficient without verification and enforcement.

Can we use container-based encryption instead of full-device encryption?

Yes, container-based encryption is explicitly mentioned in the supplemental guidance as an acceptable approach. This is particularly useful for BYOD scenarios where full-device encryption may not be feasible. However, organizations must ensure CUI is only accessed within encrypted containers and cannot leak to unencrypted device storage.

What happens if an employee refuses to enable encryption on their personal device used for work?

If BYOD devices are permitted to access CUI, encryption is mandatory and non-negotiable. Employees who refuse encryption must be blocked from accessing CUI on their personal devices. Organizations can offer alternatives such as providing organization-owned encrypted devices or restricting CUI access to desktop systems only.

Do we need to encrypt mobile devices if users only access CUI through web browsers or remote desktop?

Yes, encryption is still required because browsers and remote desktop clients typically cache data locally (cookies, temporary files, cached credentials, downloaded documents). Even if the primary CUI storage is remote, mobile devices may store CUI fragments locally that require encryption protection.

How do we verify that our mobile device encryption uses FIPS 140-2 validated cryptographic modules?

For commercial operating systems (iOS, Android, Windows, macOS), consult the NIST Cryptographic Module Validation Program (CMVP) database to verify the OS cryptographic modules are FIPS 140-2 validated. Most modern mobile operating systems include validated modules by default. For third-party encryption solutions, request FIPS validation certificates from the vendor and verify them against the CMVP database.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.