Encrypt CUI on mobile devices and mobile computing platforms.
DiscussionOrganizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including encrypting selected data structures such as files, records, or fields.
Ensure CUI is encrypted on all mobile devices and mobile computing platforms that process, store, or transmit CUI including smartphones, tablets, and e-readers.
Because the use of cryptography in this requirement is to protect the confidentiality of CUI, the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11.
This requirement, AC.L2-3.1.19, specifies that CUI be encrypted on mobile devices and extends three other CUI protection requirements (MP.L2-3.8.1, MP.L2-3.8.2, and SC.L2-3.13.16):
- MP.L2-3.8.1 requires that media containing CUI be protected.
- MP.L2-3.8.2 limits access to CUI to authorized users.
- Finally, SC.L2-3.13.16 requires confidentiality of CUI at rest.
This requirement, AC.L2-3.1.19, also leverages SC.L2-3.13.11, which specifies that the algorithms used must be FIPS-validated cryptography, and SC.L2-3.13.10, which specifies that any cryptographic keys in use must be protected.
You are in charge of mobile device security for a company that processes CUI. You configure all laptops to use the full-disk encryption technology built into the operating system. This approach is FIPS-validated and encrypts all files, folders, and volumes.
Phones and tablets pose a greater technical challenge with their wide range of manufacturers and operating systems. You select a proprietary mobile device management (MDM) solution to enforce FIPS-validated encryption on those devices [a,b].
Potential Assessment Considerations
- Is a list maintained of mobile devices and mobile computing platforms that are permitted to process, store, or transmit CUI [a]?
- Is CUI encrypted on mobile devices using FIPS-validated algorithms [b]?