3.1.19 — Encrypt CUI on Mobile

The One-Liner

If a device with CUI is lost or stolen, the data must be unreadable. Full disk encryption, verified through MDM.

What It Says

Encrypt CUI on mobile devices and mobile computing platforms.

What It Actually Means

Every mobile device that might contain CUI needs encryption:

• Windows laptops — BitLocker, recovery keys stored in Entra ID
• Macs — FileVault, recovery keys stored in Jamf or Entra
• iPhones/iPads — hardware encryption (enabled by default with a passcode)
• Android — hardware encryption (enforced through MDM compliance policy)

Two things the assessor cares about:

1. Is encryption on? Not “probably” — verifiably. MDM compliance dashboards prove this.
2. Is it FIPS-validated? Per requirement 3.13.11, the encryption must use FIPS 140 validated modules.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are mobile devices with CUI identified?	You know which devices might contain CUI
2	Is encryption enabled on all of them?	Verified through MDM compliance — not assumed

---

What to Have Ready on Assessment Day

Documents they’ll review: Access control policy, mobile device procedures, system config, encryption mechanism documentation, system security plan, audit logs

People they’ll talk to: Mobile device access control staff, sysadmins, information security staff

Live demos they’ll ask for: “Show me your MDM compliance dashboard. Show me BitLocker is enabled on this laptop. Show me the recovery key is stored centrally.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Which mobile devices handle CUI?”
• “What encryption is used on each device type?”
• “Is the encryption FIPS-validated?”
• “How do you verify encryption is enabled — show me the compliance dashboard.”

Real-World Example

A contractor enforces BitLocker through Intune compliance policy. The Intune dashboard shows 100% of Windows devices have BitLocker enabled. Recovery keys are automatically stored in Entra ID. iPhones require a 6-digit passcode (enabling hardware encryption). The assessor checks the Intune compliance report and verifies a BitLocker recovery key exists in Entra for a sample device.

---

Where Companies Trip Up

Encryption not verified. BitLocker is ‘probably on’ but nobody checks. MDM compliance reporting proves it.

Recovery keys not managed. BitLocker is on but keys aren’t stored centrally. A device is lost and you can’t prove it was encrypted.

Personal devices unencrypted. BYOD phones accessing CUI email without device encryption requirements.

---

How to Talk About This

To a CEO or Board

Every mobile device has full disk encryption, verified through our MDM. If a device is lost, the data is unreadable. We can prove it.

To an Engineering Team

BitLocker enforced via Intune compliance. Recovery keys in Entra ID. iOS hardware encryption with passcode policy. Android encryption via MDM. 100% compliance tracked in Intune.

---

Connected Requirements

Requirement	Why it matters here
3.1.18 — Mobile Device Control	Managing the devices this encrypts
3.13.11 — FIPS or It Doesn’t Count	FIPS validation for the encryption
3.13.16 — Encrypt CUI at Rest	Encrypting CUI at rest on any system

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: AC.L2-3.1.19 | SPRS Weight: 3 points | POA&M Eligible: No