Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AC.L2-3.1.19 – Encrypt CUI on mobile devices and mobile computing platforms.
Understanding the Requirement
This control requires that any mobile devices and mobile computing platforms that process, store, or transmit Controlled Unclassified Information (CUI) be identified and protected through encryption. In practice you must inventory smartphones, tablets, and laptops that handle CUI and ensure encryption is enabled and enforced so that CUI remains confidential if a device is lost or stolen. This guidance is aligned with the NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 expectation that encryption is a primary technical safeguard for portable endpoints.
Technical Implementation
-
Create and maintain a device inventory: Record every company-managed smartphone, tablet, and laptop that can access or store CUI. Tag devices by owner, OS, device type, and whether they are company-owned or BYOD. Use this inventory as the basis for enforcement and audits.
-
Deploy an MDM/EMM solution to enforce encryption: Use a mobile device management (MDM) or endpoint management solution (for example, Microsoft Intune or another SMB-focused product) to require full-disk or device storage encryption before provisioning corporate email or apps. Configure compliance policies so non-encrypted devices are blocked from accessing CUI-bearing services.
-
Enable platform-native, FIPS-validated encryption: For laptops use full-disk encryption such as BitLocker (Windows) or FileVault (macOS). For mobile devices rely on the platform’s built-in encryption (iOS and modern Android) and verify the cryptographic module is FIPS 140-2 validated where required by your contract.
-
Implement key management and recovery procedures: Ensure recovery keys are escrowed centrally (e.g., BitLocker keys stored in Azure AD or an on-prem recovery solution). Document who can retrieve keys, how retrieval is logged, and test recovery procedures periodically so legitimate business access is possible without exposing keys.
-
Control BYOD access with conditional access and MAM: For personal devices that employees use, require device encryption before granting access to corporate email or CUI via conditional access policies or mobile application management (MAM). If full device control isn’t feasible, limit CUI access to containerized, encrypted apps only.
-
Monitor compliance and audit regularly: Use MDM reports and endpoint management dashboards to check encryption status, flag non-compliant devices, and generate evidence for audits. Automate alerts when encryption is disabled or device tampering is detected.
Example in a Small or Medium Business
Acme Engineering handles CUI in project documentation and employee email. The IT team starts by inventorying all laptops and phones and identifies 120 endpoints that can access CUI. They deploy Microsoft Intune to company laptops and phones and create a compliance policy that requires BitLocker or FileVault on laptops and native device encryption on phones. BitLocker recovery keys are configured to automatically escrow to Azure AD; the IT manager documents the recovery process and limits key access to two senior administrators. For employees who use personal phones, Acme enforces conditional access: personal devices must have device encryption and a PIN before Outlook can synchronize corporate mail. The help desk runs quarterly compliance reports from Intune, flags non-compliant devices, and works with users to remediate or retire devices that cannot meet encryption requirements. As a result, when a laptop is lost during travel the startup is confident the CUI on disk is encrypted and unusable without the recovery key.
Summary
Encrypting mobile devices that process, store, or transmit CUI is a straightforward, high-impact control for SMBs: maintain a clear inventory, enforce platform-native FIPS-validated encryption through an MDM, escrow recovery keys, and use conditional access for BYOD. Combined policy, centralized technical enforcement, and regular monitoring provide the practical steps needed to meet the control and keep CUI confidential even if a device leaves your physical control.
