AC.L2-3.1.19

Ensure CUI is encrypted on all mobile devices and mobile computing platforms that process, store, or transmit CUI including smartphones, tablets, and e-readers.

Because the use of cryptography in this requirement is to protect the confidentiality of CUI, the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11.

This requirement, AC.L2-3.1.19, specifies that CUI be encrypted on mobile devices and extends three other CUI protection requirements (MP.L2-3.8.1, MP.L2-3.8.2, and SC.L2-3.13.16):

• MP.L2-3.8.1 requires that media containing CUI be protected.
• MP.L2-3.8.2 limits access to CUI to authorized users.
• Finally, SC.L2-3.13.16 requires confidentiality of CUI at rest.

This requirement, AC.L2-3.1.19, also leverages SC.L2-3.13.11, which specifies that the algorithms used must be FIPS-validated cryptography, and SC.L2-3.13.10, which specifies that any cryptographic keys in use must be protected.

Example

You are in charge of mobile device security for a company that processes CUI. You configure all laptops to use the full-disk encryption technology built into the operating system. This approach is FIPS-validated and encrypts all files, folders, and volumes.

Phones and tablets pose a greater technical challenge with their wide range of manufacturers and operating systems. You select a proprietary mobile device management (MDM) solution to enforce FIPS-validated encryption on those devices [a,b].

Potential Assessment Considerations

• Is a list maintained of mobile devices and mobile computing platforms that are permitted to process, store, or transmit CUI [a]?
• Is CUI encrypted on mobile devices using FIPS-validated algorithms [b]?