Discussion:

Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including encrypting selected data structures such as files, records, or fields. See [NIST CRYPTO].

Upon assessment, assessors must determine if-

3.1.19[a] mobile devices and mobile computing platforms that process, store, or
transmit CUI are identified.
3.1.19[b] encryption is employed to protect CUI on identified mobile devices and mobile
computing platforms.

Assessors are instructed to-

Examine: [SELECT FROM: Access control policy; procedures addressing access control for mobile devices; system design documentation; system configuration settings and associated documentation; encryption mechanisms and associated configuration documentation; system security plan; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with access control responsibilities for mobile devices; system or network administrators; personnel with information security responsibilities].

Test: [SELECT FROM: Encryption mechanisms protecting confidentiality of information on mobile devices].