AC.L2-3.1.19: Encrypt CUI on Mobile Devices & Computing Platforms
Mobile devices present unique data security challenges under CMMC Level 2 requirements. Control AC.L2-3.1.19 mandates encryption of all Controlled Unclassified Information (CUI) stored and transmitted on mobile platforms. This control protects your organization's sensitive data if devices are lost, stolen, or compromised.
What this means
This control requires you to encrypt CUI wherever it resides on mobile devices and mobile computing platforms. Mobile devices include smartphones, tablets, laptops, and any portable computing system that may access or store CUI. Encryption must protect data both at rest (stored on the device) and in transit (transmitted over networks). The encryption standards should be cryptographically strong and consistent with NIST standards for data protection.
How to comply
- 1.Identify all mobile devices and platforms that access, process, or store CUI in your organization
- 2.Deploy full-disk or partition-level encryption on all authorized mobile devices
- 3.Implement application-level encryption for CUI within specific applications and cloud services
- 4.Configure mobile device management (MDM) solutions to enforce encryption policies across devices
- 5.Establish encryption key management procedures aligned with NIST standards
- 6.Document encryption algorithms, key lengths, and implementation details in your security plan
- 7.Test encryption configurations periodically to ensure effective data protection
- 8.Provide training to employees on proper mobile device security and encryption requirements
Evidence auditors look for
- Mobile Device Management (MDM) policy documents requiring encryption of all corporate devices
- Screenshots of encryption settings enabled on iOS, Android, Windows, and macOS devices
- Configuration audit logs showing full-disk encryption or FileVault enabled on company laptops
- BitLocker or similar encryption tool deployment reports from your IT infrastructure
- Encryption key management procedures and access control documentation
- Mobile application security assessments confirming CUI encryption in transit and at rest
- Inventory of all mobile devices with encryption status verification records
- Employee acknowledgment records for mobile device security policies
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically discovers and monitors encryption status across all mobile devices in your environment, tracks compliance gaps in real-time, and generates audit-ready evidence for your CMMC assessment—eliminating manual device audits.
See how GRCWatch handles this control automatically
Start free trial