This post gives a practical, step-by-step checklist to ensure Controlled Unclassified Information (CUI) stored on BYOD and corporate mobile platforms is encrypted in accordance with NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control AC.L2-3.1.19, with implementation tips, real-world small-business scenarios, and specific technical guidance you can apply immediately.
What AC.L2-3.1.19 requires and key objectives
Control AC.L2-3.1.19 mandates that organizations encrypt CUI on mobile devices — including corporate-owned and BYOD — to prevent unauthorized disclosure when devices are lost, stolen, or compromised. Key objectives are: (1) ensure CUI at rest on mobile endpoints is encrypted using vetted cryptography, (2) enforce policies so only compliant devices/apps can store or access CUI, and (3) maintain evidence (logs, configs, inventories) showing encryption is actively enforced.
High-level implementation approach (Compliance Framework perspective)
From a Compliance Framework standpoint, implement a layered approach: policy and inventory first, then endpoint controls (MDM/MAM), then cryptographic controls (platform/device/app encryption + key management), followed by enforcement (conditional access, attestation) and validation (audits, reporting). This aligns governance, technical controls, and evidence collection for auditors and assessors.
Step-by-step checklist (actionable items)
1) Inventory & classification: identify all mobile devices, owners, OS versions, and apps that store or access CUI. Tag devices as corporate-owned vs BYOD. 2) Policy: update Acceptable Use and BYOD policies to require device encryption, minimum OS levels, passcodes, and consent for remote wipe. 3) Select enforcement tech: choose MDM for corporate devices and MAM/App Protection for BYOD (examples: Microsoft Intune, VMware Workspace ONE, Ivanti, Google Endpoint Management, Apple Business Manager + MDM). 4) Configure platform encryption: enforce iOS data protection (passcode + hardware-backed crypto), Android File-Based Encryption (FBE) and require StrongBox/TEE where available. 5) App-level controls: use containerization, app wrapping, or managed-app SDKs to force per-app encryption, block local backups, and disallow saving CUI to unmanaged storage. 6) Conditional access & attestation: block access for non-compliant devices using conditional access rules and verify device integrity with attestation/health checks. 7) Key management: use platform-provided key stores (Secure Enclave, Android Keystore / StrongBox) or enterprise KMS with FIPS 140-2 validated modules for cloud keys; define rotation and escrow. 8) Test & verify: simulate device loss, validate remote wipe, audit encryption status reports, and log everything. 9) Document: keep policies, configuration baselines, rollouts, and audit results for compliance evidence. 10) Training & incident response: train employees on BYOD rules and include mobile device loss/compromise workflows in IR plans.
Technical specifics and configuration examples
iOS: Require a passcode via MDM and enforce "Data Protection" (iOS encrypts files using AES-XTS or AES-GCM in hardware). Configure supervised devices via Apple Business Manager (DEP) for corporate phones and require MDM enrollment for compliance reporting. Android: require full-disk or file-based encryption (FBE) and minimum Android security patch level; enforce "Force encryption" or set StorageEncryptionRequired on managed devices. For BYOD where you can't enroll devices, use MAM policies (e.g., Intune App Protection) to require encryption at the app layer and block data movement to unmanaged apps. Cryptography: require FIPS 140-2 validated modules where CUI policy demands FIPS-validated crypto; for transported data require TLS 1.2+ (prefer TLS 1.3) and avoid deprecated ciphers. Use AES-256-GCM where feasible for data at rest and ensure keys are protected by hardware-backed keystores (Secure Enclave or TEE/StrongBox).
Small-business scenario: practical rollout example
Example: A 15-person defense subcontractor has three corporate phones and four BYOD devices used by staff who access CUI email and SharePoint. Steps they took: (a) added a BYOD clause to contracts and a mobile security policy, (b) enrolled corporate phones in Microsoft Intune (supervised via Apple Business Manager for iOS), (c) applied Device Compliance and Conditional Access policies to only allow email/SharePoint access from devices reporting "Device encrypted = true," (d) published an approved app list and used Intune App Protection for BYOD to prevent saving attachments to local storage, and (e) documented device inventory and ran quarterly compliance reports for audits. Result: meeting AC.L2-3.1.19 with minimal user friction and clear evidence for assessors.
Risks of not implementing
Failing to encrypt CUI on mobile devices exposes your organization to data breaches, loss of controlled information, contractual penalties (loss of government contracts), regulatory fines, and reputational damage. Mobile devices are frequently lost or stolen — unencrypted CUI can be trivially extracted. Lack of demonstrable controls also fails compliance assessments under NIST 800-171 and CMMC, which can block future contracting opportunities.
Compliance tips and best practices
Document everything: policies, device inventories, MDM/MAM configurations, conditional access rules, and test results. Maintain a minimum OS/security-patch baseline and enforce upgrades. Prefer hardware-backed key storage and FIPS-validated crypto for any enterprise or government CUI. For BYOD, minimize CUI footprint by using managed apps and avoid syncing CUI to personal cloud services. Regularly run configuration drift scans and collect attestation logs as evidence. Lastly, perform periodic tabletop exercises simulating device loss and data exfiltration to validate processes.
In summary, meeting AC.L2-3.1.19 for NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 is a repeatable process: inventory and policy, pick enforcement tech (MDM for corporate, MAM for BYOD), configure platform and app-level encryption using hardware-backed keys and FIPS-validated crypto where required, enforce conditional access, test remote-wipe and logging, and document results. For small businesses, pragmatic choices like Intune + App Protection or a managed Android program can deliver compliance quickly while minimizing user impact — but documentation, monitoring, and periodic testing are what turn configuration into demonstrable compliance.
