What does AC.L2-3.1.19 require for CMMC Level 2?

AC.L2-3.1.19 requires that any CUI stored on mobile devices (phones, tablets, laptops used as mobile devices) must be encrypted. The assessor wants to see that encryption is enabled and enforced through your MDM or device management policies.

Does this include laptops used by remote workers?

The practice specifically says 'mobile computing platforms.' This includes portable devices used for CUI work. If a remote worker's laptop stores CUI locally (files, caches, databases), it needs to be encrypted. Encryption requirements are also covered under SC.L2-3.13.11 (encryption at rest).

What if we don't store CUI on mobile devices?

Even if your policy restricts CUI to not be stored locally, you should still enforce encryption. It's a defense-in-depth approach and it's required by the standard. Additionally, cache files, temporary downloads, and email attachments may contain CUI even with a 'no local storage' policy.

AC.L2-3.1.19

AC.L2-3.1.19: Encrypt CUI on Mobile Devices

Encrypt CUI stored on mobile devices and mobile computing platforms, and prove that encryption is actually enforced.

Updated March 30, 2026

This is straightforward in theory but often misunderstood in practice. CUI can’t be stored on a device without being encrypted. The assessor wants to see that encryption is mandatory, not optional. This applies to phones, tablets, and portable devices like admin laptops.

Family Access Control

Practice AC.L2-3.1.19

Difficulty Moderate

Key evidence MDM encryption policies + device compliance status

What the assessor is actually evaluating

The NIST language says “encrypt information on mobile devices and mobile computing platforms.” The assessor is checking:

Is encryption enforced, not optional? The policy can’t say “devices should be encrypted.” It has to be a requirement that’s technically enforced. This usually means MDM policies that mandate encryption and flag non-compliant devices.

What’s the encryption standard? For mobile devices, full-disk or full-storage encryption is the baseline. iOS devices use FileVault by default. Android devices should use LUKS or similar. BitLocker or similar for Windows laptops. The assessor wants to see that the encryption method is known and confirmed.

Are all mobile devices covered? Every device that can access or store CUI needs encryption enforced. If you have one device that’s been approved but isn’t encrypted, that’s a finding.

What happens to non-compliant devices? The assessor wants to know that if a device’s encryption fails or is disabled, you detect it and respond. This is why MDM compliance dashboards matter.

What a realistic SSP definition looks like

Example SSP Language: AC.L2-3.1.19

[Organization Name] requires encryption of all information on mobile devices and mobile computing platforms that may store CUI. Encryption requirements are enforced through Mobile Device Management policies and validated through periodic compliance checks.

For mobile devices (phones and tablets), encryption is enforced through MDM policies requiring full-storage encryption. Devices are monitored for compliance. Non-compliant devices are flagged and access to CUI systems is blocked until encryption is re-enabled or the device is wiped.

For portable computing platforms (admin laptops, remote worker devices that may access CUI), encryption is enforced through BitLocker or equivalent full-disk encryption. Encryption status is verified at startup and monitored through [management tool / SIEM].

Approved CUI on mobile devices is limited to access through secure applications (email clients, VPN, remote access tools). Direct CUI file storage on devices is not permitted. All CUI transmitted to or accessed from mobile devices is encrypted in transit via [VPN / HTTPS / application-level encryption].

The key specifics: what gets encrypted (full-storage for phones, full-disk for laptops), how it’s enforced (MDM for phones, BitLocker policies for laptops), and what happens if it fails (access is blocked). This encryption requirement is part of the broader mobile device control framework in AC.L2-3.1.18 and aligns with system-wide encryption requirements in SC.L2-3.13.11 (encryption at rest).

How to present your evidence

Evidence checklist

MDM encryption policies requiring full-storage encryption for phones/tablets
Device compliance dashboard showing encryption status of all enrolled devices
BitLocker or disk encryption policy for portable computing devices
Evidence that non-compliant devices are restricted from CUI access
Mobile device encryption policy documentation

MDM encryption policies. Pull up your MDM console and show the policies requiring full-storage encryption on iOS and Android devices. Show which devices are compliant and which aren’t.

Device compliance dashboard. Display current encryption status for all enrolled mobile devices. This shows the assessor that you’re actively monitoring and verifying compliance, not relying on passive policies.

Encryption verification for portable devices. If you have admin laptops or remote worker devices, show BitLocker status or equivalent. Pull up Group Policy, device management console, or a sample device showing encryption is enabled.

Non-compliance response process. How you handle devices that don’t meet encryption requirements. Ideally, show a policy that blocks CUI access from unencrypted devices. This ties to incident detection monitored under AU.L2-3.3.1 (audit logging) and AU.L2-3.3.2 (audit monitoring).

Supporting policy documentation. Your encryption policy for mobile devices and platforms, including which types of devices require encryption and the encryption standards used.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: "How do you ensure CUI on mobile devices is encrypted?"

"[Pull up the MDM console] All our mobile devices are required to have full-storage encryption through this policy. [Show a device in the list] Every device shows encryption enabled. If a device doesn't have it, it's automatically restricted from CUI access."

Assessor: "What happens if someone disables encryption on their phone?"

"[Pull up the compliance dashboard] The MDM system detects it immediately. [Show a hypothetical non-compliant device] The device status changes to non-compliant, and that triggers our access restriction policy. They lose access to email and other CUI systems until encryption is re-enabled."

Assessor: "What about devices used for remote work, like admin laptops?"

"Those use BitLocker. [Pull up a device showing BitLocker status] We enforce BitLocker through Group Policy, and we can verify it's running on every device through [management tool]. If BitLocker fails, we're notified."

Assessor: "Do you allow people to just store CUI files locally on a mobile device?"

"No. [Pull up the mobile device policy] Our policy restricts CUI access to specific applications like email and VPN. Direct file storage isn't permitted. All communication is encrypted in transit, so even if someone screenshots something, the local encryption protects it."

Common failures

What gets flagged

Encryption policy exists but devices aren't encrypted. You have a requirement in writing but the MDM dashboard shows devices with encryption disabled. Policies don't matter if they're not enforced.

No monitoring or compliance checks. You set encryption to required but you don't have a process to verify it's actually enabled on all devices. Non-compliance goes undetected.

No response to non-compliant devices. If a device isn't encrypted, the assessor asks what happens next. If the answer is "we ask them to turn it on," that's not enforcement. Access needs to be restricted until compliance is restored.

Overlooked portable devices. Admin laptops or remote worker devices that can access CUI aren't covered by encryption policy. Portable computing platforms need the same encryption protection as phones.

Unencrypted backups. Devices are encrypted but users are backing up to unencrypted cloud storage or USB drives. If CUI can end up in an unencrypted backup, this control is bypassed.

What makes assessors move on satisfied

Encryption policy requires encryption on all mobile devices and portable platforms. MDM dashboard shows current encryption status. All devices are compliant. Non-compliant devices are restricted from CUI access. The assessor checks the box and moves on. When combined with mobile device approval controls, you've covered both access decisions and device protection.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP/MSSP

If your MSP manages MDM or device encryption, they need to own the compliance monitoring and reporting.

What’s typically on you:

Defining the encryption requirement (full-storage, BitLocker, etc.)
Approving non-compliant device responses (block access, wipe, etc.)
Periodic review of encryption policy and compliance

What’s typically on the MSP:

Configuring MDM encryption policies
Monitoring device compliance
Alerting you when devices become non-compliant
Enforcing access restrictions for non-compliant devices
Managing encryption key recovery if devices are locked out

In the assessment, the MSP should be able to show the MDM console, explain the encryption policies, and demonstrate how compliance is monitored. They should also explain what they do when a device fails compliance.

From the assessment room

Assessors want to see encryption actually enabled on devices, not just documented in policy. Have your MDM compliance dashboard ready. Show that all mobile devices and portable storage are encrypted and compliant. Know how you enforce encryption and what happens to non-compliant devices. This practice is straightforward if you have MDM in place showing 100% encryption compliance.

A note on encryption enforcement vs. policy

I've seen contractors with perfect encryption policies where devices aren't actually encrypted because the policy wasn't deployed correctly or users could opt out. The assessor cares about what's actually running on devices, not what the policy document promises. Make sure your MDM policies are mandatory, not recommended. And have the compliance dashboard ready to show verification of enforcement.

This page covers AC.L2-3.1.19 from NIST SP 800-171 Rev 2 (3.1.19). The guidance here is based on experience in real CMMC assessments and is intended to help you prepare. It is not legal or compliance advice. Your organization’s situation is unique, and you should work with qualified professionals for formal assessment preparation.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← AC.L2-3.1.20: External Connections All Practices AC.L2-3.1.18: Mobile Device Connection →