Requirement text: AC.3.022: Encrypt CUI on mobile devices and mobile computing platforms.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Organizations can employ full-device encryption or container-based encryption to protect
the confidentiality of CUI on mobile devices and computing platforms. Container-based
encryption provides a more fine-grained approach to the encryption of data and information
including encrypting selected data structures such as files, records, or fields. Protecting
cryptographic keys is an essential element of any encryption solution.
CMMC CLARIFICATION
Ensure CUI is encrypted using approved and validated algorithms for full disk encryption
(FDE) or container-based encryption on all mobile devices and platforms to include
smartphones, tablets, E-readers, and notebook computers. Mobile phones will typically
encrypt a virtual container on the device; CUI should be held within the secure encrypted
container. A laptop will typically use FDE. One big advantage of using encrypted containers
on smartphones is applications and temporary files are not encrypted, preserving battery
life that would otherwise be shortened by unnecessary cryptographic operations.
Example
You are in charge of implementing encryption for your organization. One of the encryption
methods you chose for mobile devices is full disk encryption to encrypt all files, folders and
volumes. When an individual checks out digital media and leaves the building a thief who
obtains the media cannot access the information since everything on the disk is encrypted.
Similarly, all CUI on a smartphone is put in a secure encrypted container, and if a phone
containing CUI is lost, an adversary cannot recover it.
References
• NIST SP 800-171 Rev 1 3.1.19
• CIS Controls v7.1 13.6
• NIST CSF v1.1 PR.AC-3
• CERT RMM v1.2 KIM:SG4.SP1
• NIST SP 800-53 Rev 4 AC-19(5)