AC.L2-3.1.18: Control Mobile Device Connection
Mobile devices pose significant security risks when connecting to your network or systems containing CUI. CMMC AC.L2-3.1.18 requires organizations to actively control and monitor how mobile devices connect to protected resources. This control is essential for maintaining security posture across your infrastructure.
What this means
This control requires your organization to establish and enforce policies that govern how mobile devices—including smartphones, tablets, and laptops—connect to systems handling Controlled Unclassified Information (CUI). You must implement technical and administrative measures to authorize, monitor, and restrict mobile device access based on business need and security risk.
How to comply
- 1.Document a mobile device security policy that defines which devices can connect and under what conditions
- 2.Implement Mobile Device Management (MDM) or Mobile Application Management (MAM) solutions to enforce connection policies
- 3.Require device authentication (multi-factor authentication) before granting network access
- 4.Configure network access controls to restrict unapproved mobile devices from connecting to systems with CUI
- 5.Monitor and log all mobile device connections for audit and incident response purposes
- 6.Establish a mobile device inventory and maintain records of approved devices
- 7.Define procedures for immediate disconnection of compromised or non-compliant devices
- 8.Regularly review and update mobile device policies to address emerging threats
Evidence auditors look for
- Mobile device security policy with approved device list and connection requirements
- MDM/MAM configuration settings and enrollment records
- Multi-factor authentication logs and device authentication records
- Network access control rules restricting mobile device connections
- Mobile device connection logs and audit trails
- Device inventory spreadsheet with hardware details and approval dates
- Incident response procedures for compromised mobile devices
- Annual policy review documentation and updates
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates mobile device inventory tracking, policy enforcement logging, and connection audit trail management—so you can demonstrate continuous AC.L2-3.1.18 compliance without manual tracking.
See how GRCWatch handles this control automatically
Start free trial