CMMC Practice Number: AC.L2-3.1.19
CMMC Level: 2 CMMC Domain: Access Control (AC)
Practice Summary:
Encrypt CUI on mobile devices and mobile computing platforms.
Contents:
CMMC Practice Implementation |
Assessment Objectives
Determine if:
[a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and
[b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.
Practice Clarification (DOD, CMU)
Ensure CUI is encrypted on all mobile devices and mobile computing platforms that process, store, or transmit CUI including smartphones, tablets, and e-readers.
When CMMC requires cryptography, it is to protect the confidentiality of CUI. FIPS-validated cryptography means the cryptographic module has to have been tested and validated to meet FIPS 140-1 or-2 requirements. Simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be
separately validated under FIPS 140. Accordingly, FIPS-validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the protected environment of the covered contractor information system (including wireless/remote access). Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated.
This practice, AC.L2-3.1.19, requires that CUI be encrypted on mobile devices and extends three other CUI protection practices (MP.L2-3.8.1, MP.L2-3.8.2, and SC.L2-3.13.16):
- MP.L2-3.8.1 requires that media containing CUI be protected.
- MP.L2-3.8.2 limits access to CUI to authorized users.
- Finally, SC.L2-3.13.16 requires confidentiality of CUI at rest.
This practice, AC.L2-3.1.19, also leverages SC.L2-3.13.11, which specifies that the algorithms used must be FIPS-validated, and SC.L2-3.13.10, which specifies that any cryptographic keys in use must be protected.
Example
You are in charge of mobile device security. You configure all laptops to use the full-disk encryption technology built into the operating system. This approach is FIPS-validated and encrypts all files, folders, and volumes.
Phones and tablets pose a greater technical challenge with their wide range of manufacturers and operating systems. You select a proprietary mobile device management (MDM) solution to enforce FIPS-validated encryption on those devices [a,b].
Potential Assessment Considerations
• Is a list maintained of mobile devices and mobile computing platforms that are permitted to process, store, or transmit CUI [a]?
• Is CUI encrypted on mobile devices using FIPS-validated algorithms [b]?
Where To Look
- Access control policy;
- procedures addressing access control for mobile devices;
- system design documentation;
- system configuration settings and associated documentation;
- encryption mechanisms and associated configuration documentation;
- system security plan;
- system audit logs and records;
- other relevant documents or records.
Who To Talk To
- Personnel with access control responsibilities for mobile devices;
- system or network administrators;
- personnel with information security responsibilities.
Perform Test On
- Encryption mechanisms protecting confidentiality of information on mobile devices.
Additional Information
The NIST SP 800-171 requirements for cryptography used to protect the confidentiality of CUI must use FIPS-validated cryptography, which means the cryptographic module should have been tested and validated to meet FIPS 140-1 or -2 requirements. Simply using an approved algorithm (e.g., FIPS 197 for AES) is not sufficient - the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. When an application or device allows a choice (by selecting FIPS-mode or not), then the FIPS-mode has been validated under FIPS 140-2, but the other options (non-FIPS) allow certain operations that would not meet the FIPS requirements. More information is available at
http://csrc.nist.gov/groups/STM/cmvp/
When NIST SP 800-171 requires cryptography, it is to protect the confidentiality of CUI. Accordingly, FIPS-validated cryptography is required to protect CUI, typically when transmitted or stored outside the protected environment of the company’s information system (including wireless/remote access) if not separately protected (e.g., by a protected distribution system). FIPS-validated cryptography is required whenever the encryption is required to protect covered defense information in accordance with NIST SP 800-171 or by another DFARS contract provision. Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated. Note that any separate contract requirement (not currently in NIST SP 800-171) to encrypt data at rest (e.g., PII) within the information system would require use of FIPS- validated cryptography.
CMMC Practice Background and References (DOD, CMU) |
Practice Discussion:
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including encrypting selected data structures such as files, records, or fields.
CMMC References:
· NIST SP 800-171 Rev 1 3.1.19
· CIS Controls v7.1 13.6
· NIST CSF v1.1 PR.AC-3
· CERT RMM v1.2 KIM:SG4.SP1
· NIST SP 800-53 Rev 4 AC-19(5)