• Requirement

    Encrypt CUI on mobile devices and mobile computing platforms.

  • Discussion

    Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including encrypting selected data structures such as files, records, or fields.

More Info

  • Title

    Encrypt CUI on Mobile
  • Domain

    Access Control
  • CMMC Level

  • Related NIST 800-171 ID

  • Related NIST 800-53 ID


  • DoD Scoring Methodology Points


  • Reference Documents

    • N/A

  • Further Discussion

    Ensure CUI is encrypted on all mobile devices and mobile computing platforms that process, store, or transmit CUI including smartphones, tablets, and e-readers.

    Because the use of cryptography in this requirement is to protect the confidentiality of CUI, the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11.

    This requirement, AC.L2-3.1.19, specifies that CUI be encrypted on mobile devices and extends three other CUI protection requirements (MP.L2-3.8.1, MP.L2-3.8.2, and SC.L2-3.13.16):

    • MP.L2-3.8.1 requires that media containing CUI be protected.
    • MP.L2-3.8.2 limits access to CUI to authorized users.
    • Finally, SC.L2-3.13.16 requires confidentiality of CUI at rest.

    This requirement, AC.L2-3.1.19, also leverages SC.L2-3.13.11, which specifies that the algorithms used must be FIPS-validated cryptography, and SC.L2-3.13.10, which specifies that any cryptographic keys in use must be protected.


    You are in charge of mobile device security for a company that processes CUI. You configure all laptops to use the full-disk encryption technology built into the operating system. This approach is FIPS-validated and encrypts all files, folders, and volumes.

    Phones and tablets pose a greater technical challenge with their wide range of manufacturers and operating systems. You select a proprietary mobile device management (MDM) solution to enforce FIPS-validated encryption on those devices [a,b].

    Potential Assessment Considerations

    • Is a list maintained of mobile devices and mobile computing platforms that are permitted to process, store, or transmit CUI [a]?
    • Is CUI encrypted on mobile devices using FIPS-validated algorithms [b]?

NIST 800-171A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!