Back to Control Explorer



Control Acronym



Access Control

CMMC Level


800-171 Control #


CMMC Description

Control connection of mobile devices.

CMMC Clarification

Organizations should establish guidelines and acceptable practices for the proper configuration and use of mobile devices. First the device must be identified. The availability of a unique identifier is going to depend on the device vendor, and the openness of the vendor's API, whether or not the device is under EMM/MDM control and, if so, the approach used by the developer of the EMM/MDM. There are many different types of identifiers (e.g., UDID, UUID, Android ID, IMEI, MAC Address, serial number, MDM generated ID) that can be used to identify the device, and an organization must choose an approach that applies under their specific circumstances. Once the device is identified and authenticated, it is checked to ensure it complies with appropriate configuration settings and software versions for the operating system and applications. At the same time the device is checked to ensure anti-virus software is running with current definitions. Finally, hardware configurations are checked to ensure any disallowed features are turned off. Example Your organization has a policy that provides guidelines for using mobile devices such as iPads, tablets, mobile phones, PDAs. It states that all mobile devices must be approved and registered with the IT department before connecting to the network. The IT department uses a Mobile Device Management solution to monitor mobile devices and enforce policies across the enterprise.

800-171 Description

Control connection of mobile devices.

800-171 Discussion

A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, or built-in features for synchronizing local data with remote locations. Examples of mobile devices include smart phones, e-readers, and tablets. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different types of devices. Usage restrictions and implementation guidance for mobile devices include: device identification and authentication; configuration management; implementation of mandatory protective software (e.g., malicious code detection, firewall); scanning devices for malicious code; updating virus protection software; scanning for critical software updates and patches; conducting primary operating system (and possibly other resident software) integrity checks; and disabling unnecessary hardware (e.g., wireless, infrared). The need to provide adequate security for mobile devices goes beyond this requirement. Many controls for mobile devices are reflected in other CUI security requirements. [SP 800-124] provides guidance on mobile device security.

Other Source Discussion


CIS Control References

CIS Controls v7.1 13.6, 16.7

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AC-19

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.1.18

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.AC-3, PR.AC-6

CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

UK NCSC Cyber Essentials

AS ACSC Reference


Assessment Sub-Criteria 1

AC.3.020.[a] mobile devices that process, store, or transmit CUI are identified;

Assessment Sub-Criteria 2

AC.3.020.[b] mobile device connections are authorized; and

Assessment Sub-Criteria 3

AC.3.020.[c] mobile device connections are monitored and logged.

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15