NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
AC-3.1.19 Encrypt CUI on mobile devices and mobile computing platforms.
Control Family: Access Control
Control Type: Derived
SPRS Value: 3
SPRS Supplemental Guidance:
Exposure limited to CUI on mobile platform
CMMC Level(s):
AC.L2-3.1.14
Top Ten Failed Requirement:
No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
AC-19(5)
NIST Supplemental Guidance:
[NIST CRYPTO]
Discussion:
Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including encrypting selected data structures such as files, records, or fields. See [NIST CRYPTO].
Upon assessment, assessors must determine if-
3.1.19[a] mobile devices and mobile computing platforms that process, store, or
transmit CUI are identified.
3.1.19[b] encryption is employed to protect CUI on identified mobile devices and mobile
computing platforms.
Assessors are instructed to-
Examine: [SELECT FROM: Access control policy; procedures addressing access control for mobile devices; system design documentation; system configuration settings and associated documentation; encryption mechanisms and associated configuration documentation; system security plan; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with access control responsibilities for mobile devices; system or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Encryption mechanisms protecting confidentiality of information on mobile devices].
Potential Solutions Based on Staffing
1-10 FTE |
10-49 FTE |
50-249 FTE |
250-999 FTE |
1000+ FTE |
|---|---|---|---|---|
| WatchGuard Firebox UTM | WatchGuard Firebox UTM | WatchGuard Firebox UTM | Multiple Options | Multiple Options |
| Netwrix Auditor | Netwrix Auditor | Netwrix Auditor | Netwrix Auditor | Netwrix Auditor |
| Microsoft Intune | Microsoft Intune | Microsoft Intune | Microsoft Intune | Microsoft Intune |
| DISA STIGs | DISA STIGs | Tripwire Enterprise | Tripwire Enterprise | Tripwire Enterprise |
| CIS Benchmarks | CIS Benchmarks | DISA STIGs | DISA STIGs | DISA STIGs |
| CIS SecureSuite | CIS SecureSuite | CIS Benchmarks | CIS Benchmarks | CIS Benchmarks |
| CIS SecureSuite | CIS SecureSuite | CIS SecureSuite |