NIST SP 800-171
Control 3.1.19
Encrypt CUI on Mobile Devices
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Encrypt CUI on mobile devices and mobile computing platforms.
What This Means in Plain English
Any CUI stored on mobile devices must be encrypted. If a phone, tablet, or laptop is lost or stolen, the data on it should be unreadable without the proper encryption key or credentials.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- BitLocker full-disk encryption enforced on all Windows laptops via Group Policy
- FileVault encryption required on all macOS devices via MDM policy
- Microsoft Intune compliance policies verifying device encryption status before granting access
- Native encryption enforcement on iOS and Android devices through MDM
- ComplianceArmor tracking encryption status for all mobile assets in the inventory
Assessment Guidance
Assessors will verify that device encryption is enforced via policy and technical controls, check BitLocker and FileVault status on sample devices, review MDM compliance reports showing encryption status, and test that non-encrypted devices are blocked.
Common Implementation Gaps
- Laptops without full-disk encryption
- Mobile devices with encryption disabled by users
- No MDM enforcement of encryption requirements
- Removable media (USB drives) used without encryption
- No inventory tracking encryption status of mobile devices
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | AC-19(5) |
| HIPAA | 164.312(a)(2)(iv) - Encryption and Decryption |
| PCI DSS | Req 3.4 - Render PAN unreadable anywhere it is stored |
Need Help Implementing 3.1.19?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment