NIST 800-171 - Encrypt Data on Mobile Devices (3.1.19)

Overview:
Encrypt CUI on mobile devices.

Action Items:
3.1.19[a]
Determine if: mobile devices and mobile computing platforms that process, store, or transmit CUI are identified.

3.1.19[b]
Determine if: encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

1
Examine: Access control policy; procedures addressing access control for mobile devices; system design documentation; system configuration settings and associated documentation; encryption mechanisms and associated configuration documentation; system security plan; system audit logs and records; other relevant documents or records].

2
Interview: Personnel with access control responsibilities for mobile devices; system or network administrators; personnel with information security responsibilities].

3
Test: Encryption mechanisms protecting confidentiality of information on mobile devices].

Related Documents (document name and content will vary by organization):
1) Access control policy
2) procedures addressing access control for mobile devices
3) system design documentation
4) system configuration settings and associated documentation
5) encryption mechanisms and associated configuration documentation
6) system security plan
7) system audit logs and records
8) other relevant documents or records

Additional Guidance:
Organizations can use full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including, for example, encrypting selected data structures such as files, records, or fields. See NIST Cryptographic Standards.