03.01.18 — (a) Establish usage restrictions, configuration requirements, and connection requirements for mobile devices. (b) Authorize the connection of mobile devices to the system. (c) Implement full-device or container-based encryption to protect the confidentiality of CUI on mobile devices.

What this control requires

(a) Establish usage restrictions, configuration requirements, and connection requirements for mobile devices. (b) Authorize the connection of mobile devices to the system. (c) Implement full-device or container-based encryption to protect the confidentiality of CUI on mobile devices.

Source: NIST SP 800-171 R3 §03.01.18 (official control text).

Why this matters

Mobile devices like smartphones, tablets, and smart watches create unique security challenges because they travel outside your controlled facilities, connect to untrusted networks, and can be easily lost or stolen. When these devices access or store Controlled Unclassified Information, they become high-value targets for adversaries. This control ensures organizations define clear rules for which mobile devices can connect to systems containing CUI, how those devices must be configured, and how CUI is protected through encryption. Without these restrictions, a single lost phone could expose sensitive contract information, technical data, or personnel records to unauthorized parties, potentially compromising national security interests.

What evidence assessors expect

Assessors typically look for: PDF, configuration export, CSV export, screenshot. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls