AC.3.022

Control Acronym

AC

Family

Access Control

CMMC Level

3

800-171 Control #

3.1.19

CMMC Description

Encrypt CUI on mobile devices and mobile computing platforms.

CMMC Clarification

Ensure CUI is encrypted using approved and validated algorithms for full disk encryption (FDE) or container-based encryption on all mobile devices and platforms to include smartphones, tablets, E-readers, and notebook computers. Mobile phones will typically encrypt a virtual container on the device CUI should be held within the secure encrypted container. A laptop will typically use FDE. One big advantage of using encrypted containers on smartphones is applications and temporary files are not encrypted, preserving battery life that would otherwise be shortened by unnecessary cryptographic operations. Example You are in charge of implementing encryption for your organization. One of the encryption methods you chose for mobile devices is full disk encryption to encrypt all files, folders and volumes. When an individual checks out digital media and leaves the building a thief who obtains the media cannot access the information since everything on the disk is encrypted. Similarly, all CUI on a smartphone is put in a secure encrypted container, and if a phone containing CUI is lost, an adversary cannot recover it.

800-171 Description

Encrypt CUI on mobile devices and mobile computing platforms.

800-171 Discussion

Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including encrypting selected data structures such as files, records, or fields. See [NIST CRYPTO].

Other Source Discussion

N/A

CIS Control References

CIS Controls v7.1 13.6

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AC-19(5)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.1.19

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.AC-3

CERT RMM Reference

CERT RMM v1.2 KIM:SG4.SP1

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

AC.3.022.[a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and

Assessment Sub-Criteria 2

AC.3.022.[b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15