3.1.19 — Encrypt CUI on mobile devices | NIST 800-171 Control

Phones, tablets, and laptops carrying CUI must be encrypted.

What it actually means

Encrypt CUI on mobile devices and mobile computing platforms — laptops, phones, tablets. Full-disk encryption on laptops and device encryption or MDM policy on phones and tablets satisfies this. Pair it with FIPS-validated cryptography (3.13.11).

Pass or fail — an assessor needs a "yes" to each

Is encryption enforced on all mobile devices that store CUI (laptops, phones, tablets)?
Is it enforced by policy / MDM rather than left to the user?

What to have ready

MDM / encryption policy and compliance report
Device encryption status

Where teams trip up

BYOD phones with CUI and no enforced encryption
Laptops encrypted but tablets and phones ignored

A 3-point control. Overlaps with 3.13.16 (CUI at rest) — handle device encryption once, centrally, and it covers both.

See where this control puts your score

Run all 110 requirements free in about 10 minutes.

Calculate your SPRS score →

Connected requirements

3.13.16 — Encrypting CUI at rest 3.1.18 — Controlling mobile devices 3.13.11 — FIPS-validated cryptography

← Back to the Control Library