What does AC.L2-3.1.18 require for CMMC Level 2?

AC.L2-3.1.18 requires that you control the connection of mobile devices to your systems. The assessor wants to see that you have a policy about which mobile devices can connect, how you enforce it, and that you can show evidence of approved devices.

Does this apply to phones only or also laptops?

NIST says 'mobile devices' which typically means phones and tablets. However, some assessors interpret laptops as mobile devices. Your SSP and controls should prepare you for either interpretation. The best approach is a clear policy that covers phones/tablets explicitly and addresses portable computing devices separately.

What evidence do I need for AC.L2-3.1.18?

You need a mobile device policy, a list of authorized mobile devices, technical controls preventing unauthorized devices from accessing CUI systems, and evidence that you review the authorized device list periodically.

AC.L2-3.1.18

AC.L2-3.1.18: Mobile Device Connection

Control the connection of mobile devices to your systems, and demonstrate that you know which mobile devices can access what.

Updated March 30, 2026

This practice gives a lot of assessors confusion because NIST doesn’t cleanly define ‘mobile device.’ In the assessment room, you’ll run into assessors who interpret it one way and others another. Your job is to be clear about your definition and show you’ve enforced it consistently. The key context from real assessments: some assessors think a Windows laptop is a mobile device, others think only phones and tablets qualify. Prepare for both interpretations.

Family Access Control

Practice AC.L2-3.1.18

Difficulty Moderate

Key evidence Mobile device policy + authorized device list + MDM enrollment proof

What the assessor is actually evaluating

The NIST language says “control the connection of mobile devices (including tablets and smart phones) to information systems.” The assessor is checking three things:

Do you have a mobile device policy? Not a vague statement. A real policy that says what mobile devices are allowed, under what conditions, with what controls, and who approves them. The policy should be explicit about what qualifies as a mobile device in your environment.

Can you show which mobile devices are authorized? A list of all mobile devices with access to your systems, including device type, owner, enrollment date, and which systems they can access. If you don’t have this list, the assessor will assume you’re not controlling mobile device access.

Are unauthorized devices actually prevented from accessing CUI systems? Technical enforcement matters. This might be through Mobile Device Management (MDM), conditional access policies, or explicit network restrictions. The assessor wants to see that if an unapproved device tries to access a CUI system, it gets blocked.

Note on interpretation: Be ready to explain whether your policy covers laptops. If your assessor asks “are admin laptops considered mobile devices,” you need a clear answer from your SSP. Better to define it explicitly than to get caught off guard.

What a realistic SSP definition looks like

Example SSP Language: AC.L2-3.1.18

[Organization Name] defines mobile devices as phones, tablets, and other portable computing devices. All mobile devices seeking access to CUI systems must be approved and enrolled in Mobile Device Management (MDM) prior to access. Personal devices are not permitted to access CUI systems directly. Only organization-provided mobile devices are approved for CUI access.

Mobile device approval is requested by the employee or device administrator, reviewed by the IT Director based on business need, and approved in writing. Approved devices are enrolled in [MDM solution] which enforces encryption, lock screen requirements, and application restrictions. Access from non-compliant devices is blocked at the CUI system boundary.

The approved mobile device list is reviewed quarterly against current enrollments in the MDM system. Devices that are deactivated, non-compliant with policy, or no longer needed are removed from approved access.

For portable computing devices used by remote workers (laptops, etc.), these are managed under [AC.L2-3.1.1] access control policy and [SC.L2-3.13 series] system protection controls, not under mobile device policy.

Notice the explicit distinction between phones/tablets (mobile devices) and portable laptops (managed under different controls). This prevents ambiguity with the assessor. Once mobile devices are approved and enrolled, authentication requirements for accessing CUI systems connect to IA.L2-3.5.1 (identification and authentication).

How to present your evidence

Evidence checklist

Mobile Device Policy defining what qualifies as mobile and approval process
Authorized mobile device list with device type, owner, enrollment date
MDM enrollment proof or conditional access policy blocking unauthorized devices
Evidence of quarterly device list reviews
Device compliance status from MDM (encryption, lock screen, app restrictions)

Mobile device registry. Every phone and tablet allowed to access CUI systems. Include device type (iOS, Android), owner, enrollment date in MDM, and which CUI systems it can access. This is your foundation evidence.

MDM enrollment dashboard. Log in and show the enrolled devices, their compliance status, and what policies are being enforced. The assessor wants to see that non-compliant devices are being flagged. This enforcement connects directly to AC.L2-3.1.19 (encryption on mobile devices) where your MDM policies ensure devices remain compliant.

Your mobile device policy. The document that explains what mobile devices are approved, how they’re authorized, and what controls are required. Make sure it explicitly addresses whether laptops are covered under this policy or under a different control. If laptops are included, your policy should reference the remote access and endpoint protection controls tied to SC.L2-3.13.1 (boundary protection).

Conditional access or network restriction policies. How you prevent unapproved mobile devices from accessing CUI systems. This might be Azure Conditional Access, VPN policies, or firewall rules that block unlisted device IDs.

Review records. Dated evidence that you’ve compared your approved mobile device list against current MDM enrollments and removed devices that are no longer needed.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: "Walk me through what happens when an employee wants to use a mobile device to access your systems."

"They submit a request with their device details. [Pull up a recent request form] IT Director approves it. [Pull up the device registry] Then the device is enrolled in our MDM system. [Pull up the enrollment] Here it is, showing full compliance."

Assessor: "What controls are enforced on those mobile devices?"

"[Pull up the MDM policy] Encryption required, screen lock with a PIN, app restrictions blocking any personal app stores. Non-compliant devices are blocked from accessing email and other CUI systems."

Assessor: "What if someone tries to connect a device that's not on your approved list?"

"[Pull up the conditional access policy] If a device isn't in the MDM system and on the approved list, it's blocked. The system won't allow it to access CUI data regardless of credentials."

Assessor: "Are admin laptops considered mobile devices in your policy?"

"[Pull up the policy] We define mobile devices as phones and tablets. Laptops are managed under our general access control and remote access policies. They have different controls because they're less portable and have different security capabilities."

Common failures

What gets flagged

No mobile device policy. You're allowing mobile devices but you don't have a documented process for approving them. This is an immediate finding.

Mobile device list doesn't match MDM enrollment. Your approved list shows 8 devices but the MDM dashboard shows 12. The assessor will ask where those extra devices came from, and if you can't explain them, you're not controlling mobile device access.

Personal devices accessing CUI systems. This is a direct violation. If a contractor can use their personal iPhone to access CUI email or files, this control is failed. Organization-provided devices only, or you need a documented personal device program with explicit technical controls.

Vague definition of 'mobile device.' If your policy doesn't clearly state whether laptops, tablets, and phones are all covered or handled differently, the assessor will dig deeper. Be explicit.

No enforcement mechanism. You have a list of approved devices but nothing stopping an unapproved device from connecting. Technical enforcement through MDM, conditional access, or VPN policies is required.

What makes assessors move on satisfied

Clear mobile device policy with explicit definitions. MDM enrollment of all approved devices. Technical controls blocking unapproved devices. Quarterly reviews of the approved device list. When the assessor can see the workflow from approval to enrollment to enforcement, they're satisfied.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP/MSSP

If your MSP manages MDM or conditional access policies, the approval authority needs to stay with you.

What’s typically on you:

Deciding which mobile devices should be approved
Approving device requests
Reviewing the device list quarterly
Business decisions about personal device policies

What’s typically on the MSP:

Enrolling devices into MDM
Maintaining MDM policies and device compliance
Providing device enrollment reports
Configuring conditional access or VPN policies to enforce restrictions
Removing devices from the system when you direct them to

Make sure the MSP can produce a device list and explain their compliance enforcement. In the assessment, they should be able to show the MDM dashboard and explain how non-compliant devices are handled.

From the assessment room

Assessors check MDM enrollment and device compliance. Have your device inventory ready. Know which devices are approved and which are blocked. Understand your MDM configuration and how compliance is enforced. Assessors may ask about the definition of mobile device, so be consistent between your SSP and your explanation. This practice is straightforward if you have MDM in place and can show the enforcement.

A note on mobile device clarity in assessment prep

I've seen assessors get confused about whether an admin's laptop counts as a mobile device. The best MSSPs I've worked with make this explicit in the SSP and have a clear explanation ready. If your assessor asks and your answer differs from your SSP, it creates doubt. Define mobile device policy clearly in your written control and rehearse the explanation.

This page covers AC.L2-3.1.18 from NIST SP 800-171 Rev 2 (3.1.18). The guidance here is based on experience in real CMMC assessments and is intended to help you prepare. It is not legal or compliance advice. Your organization’s situation is unique, and you should work with qualified professionals for formal assessment preparation.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← AC.L2-3.1.19: Encrypt CUI on Mobile Devices All Practices AC.L2-3.1.17: Wireless Access Protection →