AC.L2-3.1.19 Encrypt CUI on Mobile
Encrypt CUI on mobile devices and mobile computing platforms.
Source: NIST SP 800-171 Rev 2 3.1.19
Discussion: Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including encrypting selected data structures such as files, records, or fields. See [NIST CRYPTO]. [23] Mobile devices and computing platforms include, for example, smartphones and tablets.
Assessment Objectives:
Determine if:
- [a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and
- [b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.
Examine: [SELECT FROM: Access control policy; procedures addressing access control for mobile devices; system design documentation; system configuration settings and associated documentation; encryption mechanisms and associated configuration documentation; security plan; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with access control responsibilities for mobile devices; system or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Encryption mechanisms protecting confidentiality of information on mobile devices].
SPRS Score: 3
POA&M Allowed: No