Level 5 CMMC - CMMC Practices

AC.3.022  

Reference: CMMC 1.02

Family: AC

Level Introduced: 3

Practice:
Encrypt CUI on mobile devices and mobile computing platforms.

CMMC Clarification:
Ensure CUI is encrypted using approved and validated algorithms for full disk encryption (FDE) or container-based encryption on all mobile devices and platforms to include smartphones, tablets, E-readers, and notebook computers. Mobile phones will typically encrypt a virtual container on the device; CUI should be held within the secure encrypted container. A laptop will typically use FDE. One big advantage of using encrypted containers on smartphones is applications and temporary files are not encrypted, preserving battery life that would otherwise be shortened by unnecessary cryptographic operations.

Example
You are in charge of implementing encryption for your organization. One of the encryption methods you chose for mobile devices is full disk encryption to encrypt all files, folders and volumes. When an individual checks out digital media and leaves the building a thief who obtains the media cannot access the information since everything on the disk is encrypted. Similarly, all CUI on a smartphone is put in a secure encrypted container, and if a phone containing CUI is lost, an adversary cannot recover it.

3.1.19

Encrypt CUI on mobile devices and mobile computing platforms.

Discussion:
Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including encrypting selected data structures such as files, records, or fields. See [NIST CRYPTO].

*Mobile devices and computing platforms include, for example, smartphones and tablets.

Source: NIST Special Publication 800-171 Rev. 2

AC-19 (5)

ACCESS CONTROL FOR MOBILE DEVICES | FULL DEVICE/ CONTAINER-BASED ENCRYPTION

Description:
The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].

Supplemental Guidance:
Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields. Related controls: MP-5, SC-13, SC-28.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02