CIS Control 3.6: Encrypt Data on End-User Devices
End-user devices are primary targets for data theft and breach. CIS Control 3.6 requires encryption of sensitive data at rest on laptops, desktops, and mobile devices to prevent unauthorized access if hardware is lost or compromised. This control is foundational for any organization handling regulated data.
What this means
Control 3.6 mandates full-disk or partition encryption on all end-user devices that store, process, or access sensitive data. This ensures that even if a device is physically stolen or accessed without authorization, encrypted data remains unreadable without the decryption key. Common implementations include Windows BitLocker for enterprise environments, Apple FileVault for macOS systems, and Linux dm-crypt for Linux distributions. Encryption must be enabled by default and managed centrally where possible.
How to comply
- 1.Enable BitLocker on all Windows endpoints via Group Policy or Mobile Device Management (MDM)
- 2.Activate FileVault 2 on all macOS devices and enforce recovery key escrow
- 3.Configure dm-crypt or LUKS encryption on Linux systems during OS deployment
- 4.Ensure encryption keys are generated securely and not stored on the encrypted device
- 5.Implement centralized key management or recovery processes for lost passphrases
- 6.Verify encryption status across all devices through regular audits and compliance reports
- 7.Document encryption configurations and maintain an inventory of encrypted vs. unencrypted endpoints
Evidence auditors look for
- Enabled BitLocker status report showing percentage of compliant Windows devices
- FileVault activation screenshot with recovery keys securely stored in MDM platform
- Group Policy Objects (GPOs) configured to enforce encryption at device enrollment
- Mobile Device Management (MDM) compliance dashboard showing encryption compliance by OS
- Third-party encryption audit reports verifying full-disk encryption across endpoints
- Device inventory spreadsheet documenting encryption method and status per device
- Incident response logs showing encrypted device recovery procedures
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically detects unencrypted devices across your fleet, generates compliance evidence for audits, and tracks encryption status in a single dashboard—eliminating manual device inventories and spreadsheet management.
See how GRCWatch handles this control automatically
Start free trial