AC.L2-3.1.18 · NIST SP 800-171 3.1.18

Mobile Device Connection

Control connection of mobile devices.

5 points if not metMust be fully met, cannot POA&M3 assessment objectives

What an assessor scores, the objectives

AC.L2-3.1.18 is met only when every one of these 3 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.mobile devices that process, store, or transmit CUI are identified
  • b.mobile device connections are authorized
  • c.mobile device connections are monitored and logged

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For AC.L2-3.1.18, an assessor uses these:

Examine

Access control policy; authorizations for mobile device connections to organizational systems; procedures addressing access control for mobile device usage (including restrictions); system design documentation; configuration management plan; system security plan; system audit logs and records; system configuration settings and associated documentation; other relevant documents or records

Interview

Personnel using mobile devices to access organizational systems; system or network administrators; personnel with information security responsibilities

Test

Access control capability authorizing mobile device connections to organizational systems

What it means, in context

A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); possesses local, non- removable or removable data storage; and includes a self- contained power source. Mobile devices may also include voice communication capabilities, on- board sensors that allow the device to capture information, or built- in features for synchronizing local data with remote locations . Examples of mobile devices include smart phones, e-readers, and tablets. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different types of devices . Usage restrictions and implementation guidance for mobile devices include: device identification and authentication; configuration management; implementation of mandatory protective software (e.g., malicious code detection, firewall); scanning devices for malicious code; updating virus protection software; scanning for critical software updates and patches; conducting primary operating system (and possibly other resident software) integrity checks; and disabling unnecessary hardware (e.g., wireless, infrared) . The need to provide adequate security for mobile devices goes beyond this r equirement. Many controls for mobile devices are reflected in other CUI security requirements. NIST SP 800- 124 provides guidance on mobile device security.

Establish guidelines and acceptable requirements for proper configuration, use, and management of mobile devices. Devices that process, store, or transmit CUI must be identified with a device-specific identifier. There are many different types of identifiers, and it is important to select one that can accommodate all devices and be used in a consistent manner. These identifiers are important for facilitating the required monitoring and logging function. In addition to smartphones, consider the security of other portable devices such as e-readers and tablets. AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary requirements in that they all establish control for the connection of mobile devices and wireless devices through the use of authentication, authorization, and encryption mechanisms. Example Your organization has a policy stating that all mobile devices, including iPads, tablets, mobile phones, and Personal Digital Assistant s (PDAs), must be approved and registered with the IT department before connecting to the network that contains CUI. The IT department uses a Mobile Device Management solution to monitor mobile devices and enforce policies across the enterprise [b,c]. Potential Assessment Considerations • Is a list of mobile devices that are permitted to process, store, or transmit CUI maintained [a,b]? • Is the system configured to only permit connections from identified, authorized mobile devices [b]?

What passing evidence looks like

The mobile device rule (which phones and tablets may touch CUI, under what management) and the MDM enrollment or Conditional Access screenshot enforcing it.

Common ways contractors fail AC.L2-3.1.18

  • !Unmanaged personal phones with the company email app are mobile devices processing CUI if drawings arrive by email. Either manage them (MDM or app protection) or block mail on unmanaged devices.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove AC.L2-3.1.18, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

AC.L2-3.1.18 questions, answered

How many points is CMMC requirement AC.L2-3.1.18 worth?+

AC.L2-3.1.18 is worth 5 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 5 from your total of 110.

Can AC.L2-3.1.18 be placed on a POA&M?+

No. AC.L2-3.1.18 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.

What family does AC.L2-3.1.18 belong to?+

AC.L2-3.1.18 is in the Access Control (AC) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.1.18