AC.L2-3.1.19 Encrypt CUI on Mobile

Encrypt CUI on mobile devices and mobile computing platforms.

Source: NIST SP 800-171 Rev 2 3.1.19

Discussion: Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including encrypting selected data structures such as files, records, or fields. See [NIST CRYPTO]. [23] Mobile devices and computing platforms include, for example, smartphones and tablets.

Assessment Objectives:

Determine if:

Examine: [SELECT FROM: Access control policy; procedures addressing access control for mobile devices; system design documentation; system configuration settings and associated documentation; encryption mechanisms and associated configuration documentation; security plan; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with access control responsibilities for mobile devices; system or network administrators; personnel with information security responsibilities].

Test: [SELECT FROM: Encryption mechanisms protecting confidentiality of information on mobile devices].

SPRS Score: 3

POA&M Allowed: No