CMMC Level 2 Mobile Device Policy

CMMC Level 2 Mobile Device Policy

A study recently shared with Ignyte posed a question that has been and is currently on many minds.

How are organizations that have to adhere to CMMC Level 2 Mobile Device Policy? In other words, how do various device policies such as bring your own device (BYOD), choose your own device (CYOD), company owned personally enabled (COPE), and company owned business only (COBO) work with CMMC requirements.

We saw responses that range from the concerning (e.g., “it’s just email”) to the complicated (e.g., “fully managed devices with VPN and MFA requirements”).

The problem 

While it is true that the technical considerations of this problem are important and deserve careful thought, the actual problem that many organizations run into is not a technical one. There are plenty of ways to technically facilitate secure and appropriate access to controlled unclassified information (CUI) on a personally owned device, some of which we’ll cover in a bit.

The actual problem here is organizational in nature, and, more specifically, based in legitimate employee privacy, autonomy, and trust concerns. That is, why should an employee who pays for their own phone and service allow the company they work for unfettered access to their device?

One study respondent said, “…I’m getting a lot of push back…” when discussing this subject with their company which is not a unique situation for management to be in regarding this issue.

CMMC Level 2 Mobile Device Policy Interpretation and Guidance

However, every organization is unique and has a different risk management approach. What is appropriate and effective for one may not hold for another. CMMC level 2 mobile device policy is an area that doesn’t have a black and white answer.

In the spirit of transparency, there are other assessment criteria intricately tied to this discussion, but for the purposes of this post, we’ll focus on two areas (controls). The first is AC.L2-3.1.18 – Mobile Device Connection, and the second is AC.L2-3.1.19 – Encrypt CUI on Mobile.

As of this writing, this is what the most current CMMC level 2 assessment guide has to say about assessing mobile device connections: “mobile devices that process, store, or transmit CUI are identified; mobile device connections are authorized; and mobile device connections are monitored and logged.”

And this is what the same document has to say about CUI encryption on mobile devices: “mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and encryption is employed to protect CUI on identified mobile devices and mobile computing platforms, to include smartphones, tablets, and e-readers.”

The layperson version of that is companies have to identify (i.e., device specific, consistent tagging), authorize, monitor, log, and encrypt all mobile devices that handle CUI.

Can your organization effectively perform these activities for your employee’s personal devices?

Possible technical solutions

The technical solutions offered by the study respondents are as follows:

  1. A fully managed personal device with mobile device management software (MDM) and native mail apps;
  2. Browser based access from any device (outlook web app; OWA) with multi factor authentication (MFA);
  3. A personal device with a company provided and managed virtual private network (VPN); and
  4. A fully managed company owned device with an endpoint solution.

There are likely many more options to technically solve this problem. However, the two main considerations that impact which solution a company chooses are its financial means and its employee’s concerns.

For example, if the organization has an employee population that is likely to push back on company access to personal devices and the organization has the financial means to purchase and maintain enough devices to cover those users that need remote access to CUI (or are likely to have access to CUI), solution 4 is the best bet.

An organization whose employees have no such issues or is unable to shoulder the financial burdens of issuing mobile devices, is free to explore other options so long as they meet the requirements and expectations of CMMC Level 2 Mobile Device Policy.

Larger organizational issues

As we’ve already said, the larger issue here is an organizational one. If you have employees that adopt the “it’s just email” attitude, then your security awareness and compliance training is failing and must be addressed.

Likewise, employees who agree with the sentiment “no one is emailing CUI” should raise some significant red flags that warrant deeper questioning and assessment. One respondent offered these questions regarding this very topic, “What mechanisms do you have in place to ensure this is the case? At a minimum is there a CMMC level 2 mobile device policy that tells you not to? Do you have keyword scanners in place to stop these emails?”

Ultimately, we can’t tell you in this post the exact mobile device policy you should adopt to comply with CMMC Level 2 Mobile Device Policy. What we can tell you is that you will need one CMMC Level 2 Mobile Device Policy. And when the time comes to figure out the best way forward, Ignyte will be here to guide you.

Empower your CMMC Compliance Journey with Ignyte

Our mission at Ignyte is to empower organizations like yours in achieving and maintaining the rigorous standards of CMMC effortlessly. We understand that navigating compliance requirements can be daunting, but with our cutting-edge Ignyte Assurance Platform, we simplify the entire process.

Our comprehensive approach covers every aspect of CMMC compliance, from assessing your unique needs to implementing tailored solutions. We prioritize the protection of your critical assets and sensitive government information, ensuring that your organization operates securely and confidently.

By choosing Ignyte, you gain a trusted partner with a proven track record in compliance excellence. We work hand in hand with you, offering guidance, tools, and support at every step. With our assistance, you can not only meet but exceed the demanding expectations of CMMC, positioning your organization for growth and success in government contracting.

Don’t let compliance complexities hold you back. Contact us today, and let Ignyte simplify your journey to CMMC compliance, enabling you to focus on what truly matters – your mission and your business.

Stay up to date with everything Ignyte

Ignyte Platform becomes a third-party assessment organization (3PAO), now listed on the FedRAMP Marketplace - Read More