AC.L2-3.1.19 — Encrypt CUI on mobile devices and mobile computing platforms.

What this control requires

Encrypt CUI on mobile devices and mobile computing platforms.

Source: CMMC L2 v2.13 AC.L2-3.1.19 / NIST SP 800-171 R2 3.1.19 (official control text).

Why this matters

Mobile devices are easily lost, stolen, or accessed by unauthorized parties in public spaces, airports, hotels, or during transit. Without encryption, anyone who gains physical possession of a laptop, tablet, or smartphone can trivially extract CUI stored on the device using forensic tools or simple file browsing. This control mandates cryptographic protection so that even if a device falls into the wrong hands, the data remains unreadable without the correct authentication credentials. Encryption at rest transforms sensitive files into ciphertext that is computationally infeasible to reverse without the decryption key, protecting customer data, intellectual property, and federal contract information from exposure.

What evidence assessors expect

Assessors typically look for: screenshot, configuration export, PDF, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls