How to Meet AC.L2-3.1.18

Requirement

Show: AC.L2-3.1.18 – Control connection of mobile devices.

This control comes from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2.

Understanding the Requirement

This control requires you to identify which mobile devices (smartphones and tablets) process, store, or transmit Controlled Unclassified Information (CUI); to authorize those devices before they connect; and to monitor and log their connections. The goal is to keep unmanaged or non-compliant devices from accessing CUI and to maintain visibility over all approved devices to reduce risk.

Policies and Procedures Needed

Establish a mobile device policy that defines which devices may access CUI, the security requirements they must meet, and who can approve access. Include onboarding/offboarding steps, a BYOD (bring-your-own-device) stance, device authorization workflow, periodic access reviews, monitoring and logging requirements, and a lost/stolen device response (including remote wipe). Document exceptions and approvals, define roles for security and system administrators, and require users to acknowledge responsibilities.

Technical Implementation

• Inventory and scope mobile devices for CUI. Maintain a register of all smartphones and tablets used to process, store, or transmit CUI. Track owner, device type/OS/version, corporate vs. BYOD, approved apps, and authorization status. Only devices in this register should be allowed to connect.
• Require MDM enrollment and device compliance before access. Use a mobile device management (MDM) platform (e.g., Microsoft Intune/Endpoint Manager or Exchange ActiveSync policies) to block email and app access until a device enrolls and meets your compliance policy. Implement Conditional Access so only compliant devices can access email, file storage, or other CUI systems.
• Enforce a secure baseline. Configure policies to require device encryption, PIN/passcode with complexity, automatic screen lock, minimum supported OS versions, and to block jailbroken/rooted devices. For BYOD, use app protection policies (application-level PIN, data wipe on sign-out, prevent copy/paste to personal apps) on email and file apps handling CUI (e.g., Outlook).
• Authorize devices through a defined workflow. Require manager sponsorship and IT security approval before enabling access. Tag the device as “Approved” in the MDM, assign it to the user, and place it in a group that receives the correct compliance and app policies. Revalidate authorization at least annually or upon role change.
• Monitor and log device connections. Enable logging of device enrollment, compliance state changes, access grants/denials, and app sign-ins. Review weekly reports for new devices, noncompliance, or unusual access. Forward critical events to centralized logging and create alerts for high-risk events (e.g., root detected, encryption off, repeated access denials).
• Respond to lost/stolen or departing-user scenarios. Use MDM to quarantine or block the device immediately, revoke tokens, and perform a remote wipe (corporate wipe for BYOD; full wipe for corporate-owned). During offboarding, block sign-ins, remove the device from authorized groups, and verify that corporate data has been wiped.

Example in a Small or Medium Business

A 120-person engineering firm decides that only enrolled and compliant devices can access corporate email that may contain CUI. The IT manager documents a BYOD policy and chooses Microsoft 365 with Intune to manage smartphones. They configure Conditional Access so users must enroll in Intune before the Outlook mobile app can sign in. Compliance policies require device encryption, a six-digit PIN, auto-lock after 5 minutes, a minimum OS version, and block rooted or jailbroken devices. A project manager installs Outlook on her personal phone; when she signs in, she is prompted to enroll the device and accept the policy. After enrollment, the device enforces a stronger PIN and confirms encryption is on, and Outlook then connects. The MDM logs show the device moved to “Compliant” and the access grant is recorded. Later, when the phone’s OS falls behind, Conditional Access blocks email until the manager updates, keeping noncompliant devices away from CUI.

Summary

AC.L2-3.1.18 is met when you clearly identify which mobile devices handle CUI, authorize them through a defined workflow, enforce security controls with MDM and Conditional Access, and continuously monitor and log their connections. A practical policy combined with enforceable technical controls—encryption, PINs, OS/version checks, jailbreak/root detection, app protection, and remote wipe—prevents unmanaged devices from accessing CUI and provides the visibility and audit trail SMBs need to control risk.