Encrypting Controlled Unclassified Information (CUI) on mobile devices is a practical, testable requirement under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 (control AC.L2-3.1.19) — this post walks small businesses through concrete steps to implement and verify encryption for iOS and Android devices using common MDM tools, secure app practices, and simple verification checks.
Why this matters for Compliance Framework
CUI on mobile devices is high risk: lost or stolen phones, backups that are not encrypted, or apps that store data unprotected can expose sensitive information and trigger contract penalties or loss of federal work. The Compliance Framework requires that organizations protect CUI at rest on portable devices. For small businesses, meeting this control means proving devices that store or access CUI are encrypted, that keys are protected, and that policies and controls are in place and verifiable.
Practical implementation steps (high-level)
For a practical rollout, follow these steps: 1) inventory devices and classify which devices handle CUI; 2) choose an MDM/EMM solution that supports enforced encryption and compliance reporting (examples: Microsoft Intune, Jamf for Apple, VMware Workspace ONE, ManageEngine for mixed fleets); 3) create device configuration profiles requiring encryption, strong passcodes, automatic lock, and remote wipe; 4) enforce application-level encryption for managed apps using platform libraries; 5) test and document verification procedures and build ongoing monitoring/alerts into the MDM console.
Platform-specific technical details
iOS: Encryption of data at rest is provided by hardware-backed Data Protection and the Secure Enclave. Ensure devices are supervised via MDM and require a passcode policy (minimum length/complexity). Configure managed apps or your custom apps to use NSFileProtection (NSFileProtectionComplete or NSFileProtectionCompleteUnlessOpen) for files containing CUI and store keys in the Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly or through Secure Enclave-generated keys. For backups, block or require encrypted iCloud backups via MDM (disable unencrypted local backups). Verify device status in MDM by checking attributes like passcodePresent and dataProtectionStatus.
Android specifics and practical advice
Android has evolved from full-disk encryption (FDE) to File-Based Encryption (FBE) on modern releases. Use Android Enterprise (work profile or fully managed) and require devices be encrypted (FBE active) via policy. For app-level encryption, use the Jetpack Security libraries: EncryptedFile and EncryptedSharedPreferences (which use Android Keystore to protect AES-256 keys). For stronger key protection, prefer hardware-backed KeyStore / StrongBox where available. Administrative checks: use MDM to verify encryption state, or locally (for diagnostics) use adb shell getprop ro.crypto.state and ro.crypto.type (or check Settings > Security > Encryption). Block rooted/jailbroken devices from accessing managed CUI via MDM compliance rules.
Real-world small business scenario
Example: a 20-person subcontractor working on a DoD contract must allow engineers to access CUI on phones. Practical approach: enroll all company phones in Microsoft Intune as "work-managed." Create a policy requiring device encryption, 6–8 digit passcode with timeout, disable backup to personal cloud unless encrypted, and deploy the organization's secure viewer app built with EncryptedFile/NSFileProtection. Train staff to report lost devices and document a 1-hour remote wipe SLA. Verify compliance weekly through Intune reports and remediate noncompliant devices before they access CUI.
Testing, verification, and evidence for audits
Auditors and assessors will want objective evidence. Use MDM-generated reports showing: device encryption status, passcode compliance, OS versions, and device health (no jailbreak/root). For technical validation, collect screenshots or exported reports showing encryption state, and logs of remote wipe commands and outcomes. For app-level controls, supply developer documentation showing use of platform encryption APIs, Keychain/KeyStore usage, and encryption algorithm/key sizes (e.g., AES-256-GCM with keys protected by Secure Enclave or hardware-backed Keystore). Maintain a test plan: sample a device, attempt to access protected files without passcode, and demonstrate that data is inaccessible when the device is locked.
Risks of not implementing and mitigation best practices
Failing to encrypt CUI on mobile devices increases risk of data breaches, unauthorized disclosure, loss of contracts, and regulatory penalties. Common real-world failures include allowing unmanaged devices to access CUI, permitting backups to unencrypted personal cloud accounts, and ignoring rooted/jailbroken device policies. Best practices: 1) adopt least privilege and restrict CUI access to managed apps only; 2) use multi-factor authentication combined with device attestation; 3) rotate encryption keys and limit key export; 4) log and alert on policy violations; 5) include remote-wipe and disable-device-access playbooks in incident response; 6) keep OS and MDM policies current to benefit from platform security improvements.
Summary
Meeting AC.L2-3.1.19 for NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 is achievable for small businesses by combining MDM-enforced device encryption, platform-native protection (iOS Data Protection, Android FBE), secure app-level encryption (Keychain/Keystore and Jetpack Security), and documented verification procedures. Inventory devices, enforce policies, test periodically, and keep a simple audit trail — these steps provide practical, demonstrable compliance while keeping CUI protected on mobile endpoints.
