NIST 800-171 • LEVEL 2 • ACCESS CONTROL
3.1.18 — Access Control for Mobile Devices
Establish usage restrictions, configuration requirements, and connection requirements for mobile devices. Authorize the connection of mobile devices to the system. Implement full-device or container-based encryption to protect the confidentiality of CUI on mobile devices.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- usage restrictions are established for mobile devices.
- configuration requirements are established for mobile devices.
- connection requirements are established for mobile devices.
- the connection of mobile devices to the system is authorized.
- full-device or container-based encryption is implemented to protect the confidentiality of CUI on mobile devices.
Practitioner Notes
Phones, tablets, and laptops that move around are easy to lose or steal. If those devices touch CUI, they need to be managed, encrypted, and controlled. You can't just let employees use their personal phones to check work email without guardrails.
Example 1: Enroll all company mobile devices in Microsoft Intune (Endpoint Manager). In the Intune Admin Center → Devices → Compliance Policies → Create Policy, require device encryption, a minimum OS version, and a device PIN of at least 6 digits. Non-compliant devices are blocked from accessing company email and SharePoint.
Example 2: Write a Mobile Device Policy that prohibits the use of personal (BYOD) devices for CUI. For company-issued devices, configure Intune App Protection Policies under Apps → App Protection Policies → Create Policy to prevent copy/paste of data from managed apps (like Outlook) to unmanaged apps (like personal WhatsApp). Enable remote wipe capability for all enrolled devices.