Level 2
Description:
Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including encrypting selected data structures such as files, records, or fields. See [NIST CRYPTO].
[23] Mobile devices and computing platforms include, for example, smartphones and tablets.
Priority: High
Domain: ACCESS CONTROL (AC)
Services Associated with AWS:
- AWS Key Management Service (KMS), AWS Secrets Manager, AWS Mobile Hub
Services Associated with Azure:
- Azure Information Protection
- Azure Key Vault
- Azure Disk Encryption
- Azure Virtual Machines
- Azure Security Center
- Azure Active Directory (Azure AD)
- Azure Backup
- Azure Site Recovery
- Azure Storage
- Azure SQL Database
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Administrative: supporting documentation to demonstrate how Mobile Device Management (MDM) is properly & securely implemented
- Technical: screen shot of MDM settings
Possible Technology Considerations:
- Mobile Device Management (MDM) Secure Baseline Configurations (SBC)
What needs to be answered:
Does the company encrypt CUI on mobile devices?
Checks for AWS
- Implement Full-Device Encryption for Mobile Devices
Description: This check ensures that full-device encryption is implemented on mobile devices to protect the confidentiality of Controlled Unclassified Information (CUI) stored on those devices. Full-device encryption ensures that all data and information on the device are encrypted.
- Employ Container-Based Encryption for Mobile Computing Platforms
Description: This check verifies that container-based encryption is employed on mobile computing platforms to protect the confidentiality of CUI. Container-based encryption provides a more fine-grained approach to encrypting data and information, allowing for the encryption of selected data structures such as files, records, or fields.
Checks for Azure
- Enable Full-Device Encryption for Mobile Devices:
Description: This check ensures that full-device encryption is enabled on mobile devices. Full-device encryption protects the confidentiality of Controlled Unclassified Information (CUI) stored on those devices by encrypting all data and information present on the device. Enabling full-device encryption helps safeguard sensitive data and mitigates the risk of unauthorized access to CUI in case of device loss or theft.
- Implement Container-Based Encryption for Mobile Computing Platforms:
Description: This check verifies that container-based encryption is implemented on mobile computing platforms. Container-based encryption provides a more fine-grained approach to encryption by encrypting selected data structures such as files, records, or fields. This policy check ensures that CUI on mobile computing platforms is protected through container-based encryption, enhancing the confidentiality of the information.
More Details: All access to CUI information cloud based. CUI within cloud system is encrypted and secured at all times.