Controlling which mobile devices can connect to systems that process Controlled Unclassified Information (CUI) is a core requirement of NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2 (AC.L2-3.1.18); this guide gives small businesses practical, testable steps to implement that control, collect assessor evidence, and reduce the risk of data loss or contract disqualification.
Understanding AC.L2-3.1.18 and key objectives
AC.L2-3.1.18 requires that organizations control connections of mobile devices to systems where CUI resides — meaning only authorized, compliant devices may access sensitive networks and services. The key objectives are: (1) prevent unmanaged or compromised devices from connecting, (2) ensure connected mobile devices meet security baselines (patch level, encryption, screen lock, non-jailbroken), and (3) provide technical evidence that unauthorized connection attempts are blocked and authorized devices are tracked.
Practical implementation steps (Compliance Framework focused)
Start with policy and scope: document a Mobile Device Usage and Connection Policy that defines allowed device types (corporate-owned, BYOD with controls), acceptable operating systems, minimum configuration (disk encryption, passcode, no root/jailbreak), and where CUI can be accessed. Next, implement an inventory: enroll every authorized mobile device in an MDM/EMM (e.g., Microsoft Intune, Jamf, Google endpoint management) and maintain an asset list with device owner, OS version, enrollment date, and last check-in time. Use this inventory as the single source of truth during assessment.
Technical controls to enforce device connection
Use a combination of Mobile Device Management (MDM) + Network Access Control (NAC) + Conditional Access to enforce policies. Examples: require MDM enrollment and device compliance before granting access via Wi‑Fi or VPN; configure your Wi‑Fi for WPA2/WPA3-Enterprise with 802.1X (RADIUS) and map device certificates to roles; deploy conditional access rules in Azure AD to block unmanaged devices from accessing Microsoft 365 or CUI-bearing apps. For VPNs serving CUI, require certificate-based authentication, enforce full-tunnel VPN to prevent split-tunnel exfiltration, and restrict access to specific network segments.
Small business scenarios and low-cost options
Scenario A (10–50 employees, mixed BYOD): Use Microsoft Intune (included with many Microsoft 365 plans) to enforce device compliance, containerize CUI in managed apps with App Protection Policies (prevent copy/paste, disable backups), and use Azure AD Conditional Access to deny unmanaged devices. Scenario B (primarily Apple devices): Jamf or Apple Business Manager plus MDM profiles for enforced encryption, remote wipe, and app whitelisting. If budget is constrained, combine free RADIUS (FreeRADIUS) for 802.1X Wi‑Fi and a low-cost MDM like Miradore or Google Workspace endpoint management; document compensating controls and a clear timeline to migrate to enterprise-grade tooling.
Configuration examples and technical specifics
Concrete settings assessors will look for: MDM compliance rules (minimum OS: iOS 15+/Android 11+ or as required), device encryption enforced, passcode complexity (minimum 6-digit or equivalent complexity, auto-lock after ≤5 minutes), remote wipe enabled, blocking of jailbroken/rooted devices, blocked tethering and backup to unapproved cloud services, and automated patch enforcement. On the network side, record RADIUS logs showing 802.1X success/failure, VPN logs showing certificate-based authentication, and NAC policies that place non-compliant devices into a remediation VLAN with no CUI access.
Evidence to collect for a CMMC 2.0 Level 2 assessment
Prepare artifacts: the Mobile Device Policy, device inventory export from your MDM (with identifiable device IDs and owners), screenshots of compliance rule configurations, logs from NAC/RADIUS and VPN showing denied connections from unmanaged devices, conditional access policy screenshots, change management records for MDM configuration, training records for staff about BYOD rules, and incident logs for any mobile-related security events and how they were remediated. Provide sample audit trails that show a non-compliant device was blocked and later remediated and enrolled.
Risks and consequences of not implementing the control
Without these controls you face immediate risks: CUI exfiltration via insecure or compromised mobile endpoints, lateral movement from a mobile device into internal systems, accidental exposure through backup or shadow IT apps, and increased attack surface for phishing and malware. From a compliance perspective, failing AC.L2-3.1.18 can result in a noncompliance finding, loss of DoD contracts, potential financial penalties, and reputational damage — all of which disproportionately harm small businesses dependent on federal contracts.
Summary: Implementing AC.L2-3.1.18 is a mix of policy, inventory, and technical enforcement — enroll and baseline devices in an MDM, enforce 802.1X and conditional access, log and retain access attempts, and prepare clear evidence for assessors; for small businesses, leverage bundled or low-cost MDM and cloud identity features to meet requirements quickly while documenting compensating controls and remediation plans for any gaps.
