Level 2


Description:

Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including encrypting selected data structures such as files, records, or fields. See [NIST CRYPTO].

[23] Mobile devices and computing platforms include, for example, smartphones and tablets.
  


Priority: High 


Domain: ACCESS CONTROL (AC) 


Services Associated with AWS: 

  • AWS Key Management Service (KMS), AWS Secrets Manager, AWS Mobile Hub


Services Associated with Azure:

  • Azure Information Protection
  • Azure Key Vault
  • Azure Disk Encryption
  • Azure Virtual Machines
  • Azure Security Center
  • Azure Active Directory (Azure AD)
  • Azure Backup
  • Azure Site Recovery
  • Azure Storage
  • Azure SQL Database


Objective Evidence: 

  • Administrative: documented policies, standards & procedures 
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations 
  • Administrative: supporting documentation to demonstrate how Mobile Device Management (MDM) is properly & securely implemented 
  • Technical: screen shot of MDM settings


Possible Technology Considerations:

  • Mobile Device Management (MDM) Secure Baseline Configurations (SBC) 


What needs to be answered:

Does the company encrypt CUI on mobile devices?


Checks for AWS

  • Implement Full-Device Encryption for Mobile Devices
    Description: This check ensures that full-device encryption is implemented on mobile devices to protect the confidentiality of Controlled Unclassified Information (CUI) stored on those devices. Full-device encryption ensures that all data and information on the device are encrypted.
  • Employ Container-Based Encryption for Mobile Computing Platforms
    Description: This check verifies that container-based encryption is employed on mobile computing platforms to protect the confidentiality of CUI. Container-based encryption provides a more fine-grained approach to encrypting data and information, allowing for the encryption of selected data structures such as files, records, or fields.
     
     


Checks for Azure

  • Enable Full-Device Encryption for Mobile Devices:
    Description: This check ensures that full-device encryption is enabled on mobile devices. Full-device encryption protects the confidentiality of Controlled Unclassified Information (CUI) stored on those devices by encrypting all data and information present on the device. Enabling full-device encryption helps safeguard sensitive data and mitigates the risk of unauthorized access to CUI in case of device loss or theft.
  • Implement Container-Based Encryption for Mobile Computing Platforms:
    Description: This check verifies that container-based encryption is implemented on mobile computing platforms. Container-based encryption provides a more fine-grained approach to encryption by encrypting selected data structures such as files, records, or fields. This policy check ensures that CUI on mobile computing platforms is protected through container-based encryption, enhancing the confidentiality of the information.


More Details: All access to CUI information cloud based. CUI within cloud system is encrypted and secured at all times.