GRCWatch
Sign inStart free trial

NIST 800-171 Control 3.1.19: Encrypt CUI on Mobile Devices

Control 3.1.19 requires encryption of Controlled Unclassified Information (CUI) on all mobile devices and computing platforms. For SMBs handling sensitive government or contractual data, mobile encryption isn't optional—it's a mandatory safeguard against unauthorized access during device loss or theft. This control ensures your organization protects CUI wherever work happens.

What this means

This control mandates that any mobile device or mobile computing platform storing, processing, or transmitting CUI must have encryption enabled. This includes smartphones, tablets, laptops used in the field, and any portable computing systems. Encryption must be strong enough to render CUI unreadable without the correct decryption key, protecting data both at rest and during transmission when devices connect to networks.

How to comply

  1. 1.Inventory all mobile devices and platforms that access, store, or process CUI
  2. 2.Deploy mobile device management (MDM) solutions to enforce encryption policies across all devices
  3. 3.Enable full-disk or file-level encryption on all mobile devices using FIPS 140-2 validated algorithms
  4. 4.Implement encryption key management practices with secure storage of encryption keys separate from encrypted data
  5. 5.Configure automatic lock and encryption activation for devices left idle
  6. 6.Document encryption configurations, algorithms used, and key management procedures in your security plan
  7. 7.Test encryption effectiveness regularly through vulnerability assessments and penetration testing
  8. 8.Train users on mobile security protocols and the importance of maintaining device encryption

Evidence auditors look for

  • Mobile device management (MDM) policy documents showing encryption mandates for all device types
  • Screenshots of MDM console showing encryption status enabled across enrolled devices
  • Device configuration reports confirming AES-256 or equivalent encryption enabled
  • Encryption key management procedures and audit logs showing secure key storage
  • Mobile security procedures documentation listing encryption as a required control
  • Device audit logs showing encryption is active and cannot be disabled by end users
  • Inventory spreadsheet of all mobile devices with encryption status and algorithm details
  • Third-party vulnerability assessment reports confirming mobile device encryption compliance

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates mobile device encryption monitoring across your entire fleet, tracks encryption status in real-time, and generates audit-ready compliance evidence—eliminating manual MDM audits and device inventory management.

See how GRCWatch handles this control automatically

Start free trial

Related controls

3.1.1 — System Boundary Protection3.1.2 — Access Control Lists3.1.13 — Cryptographic Key Management3.2.1 — Audit Records3.4.1 — Security Awareness Training