NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
3.1.19 Encrypt CUI on mobile devices and mobile computing platforms.
Control Family: Access Control
Control Type: Derived
SPRS Value: 3
SPRS Supplemental Guidance:
Exposure limited to CUI on mobile platform
CMMC Level(s): AC.L2-3.1.14
Top Ten Failed Requirement: No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
AC-19(5)
NIST Supplemental Guidance:
[NIST CRYPTO]
Discussion:
Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including encrypting selected data structures such as files, records, or fields. See [NIST CRYPTO].
Upon assessment, assessors must determine if-
3.1.19[a] mobile devices and mobile computing platforms that process, store, or
transmit CUI are identified.
3.1.19[b] encryption is employed to protect CUI on identified mobile devices and mobile
computing platforms.
Assessors are instructed to-
Examine: [SELECT FROM: Access control policy; procedures addressing access control for mobile devices; system design documentation; system configuration settings and associated documentation; encryption mechanisms and associated configuration documentation; system security plan; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with access control responsibilities for mobile devices; system or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Encryption mechanisms protecting confidentiality of information on mobile devices].
FURTHER DISCUSSION
Ensure CUI is encrypted on all mobile devices and mobile computing platforms that process, store, or transmit CUI including smartphones, tablets, and e-readers.
Because the use of cryptography in this requirement is to protect the confidentiality of CUI, the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. This requirement, AC.L2-3.1.19, specifies that CUI be encrypted on mobile devices and extends three other CUI protection requirements (MP.L2-3.8.1, MP.L2-3.8.2, and SC.L2- 3.13.16):
MP.L2-3.8.1 requires that media containing CUI be protected.
MP.L2-3.8.2 limits access to CUI to authorized users.
Finally, SC.L2-3.13.16 requires confidentiality of CUI at rest.
This requirement, AC.L2-3.1.19, also leverages SC.L2-3.13.11, which specifies that the algorithms used must be FIPS-validated cryptography, and SC.L2-3.13.10, which specifies that any cryptographic keys in use must be protected.
Example
You are in charge of mobile device security for a company that processes CUI. You configure all laptops to use the full-disk encryption technology built into the operating system. This approach is FIPS-validated and encrypts all files, folders, and volumes. Phones and tablets pose a greater technical challenge with their wide range of manufacturers and operating systems. You select a proprietary mobile device management (MDM) solution to enforce FIPS-validated encryption on those devices [a,b].
Potential Assessment Considerations
Is a list maintained of mobile devices and mobile computing platforms that are permitted to process, store, or transmit CUI [a]?
Is CUI encrypted on mobile devices using FIPS-validated algorithms [b]?
Frameworks & Controls
3.1.3: Control the flow of CUI in accordance with approved authorizations
3.1.6: Use non-privileged accounts or roles when accessing nonsecurity functions
3.1.9: Provide privacy and security notices consistent with applicable CUI rules
3.1.11: Terminate (automatically) a user session after a defined condition
3.1.13: Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
3.1.14: Route remote access via managed access control points
3.1.16: Authorize wireless access prior to allowing such connections
3.1.17: Protect wireless access using authentication and encryption
3.1.19: Encrypt CUI on mobile devices and mobile computing platforms
3.1.20: Verify and control/limit connections to and use of external systems
3.1.21: Limit use of portable storage devices on external systems
3.1.22: Control CUI posted or processed on publicly accessible systems