3.1.19 — Encrypt CUI on Mobile Devices and Mobile Computing Platforms

Any mobile device that stores or accesses CUI must have full-disk encryption turned on. If someone leaves a laptop in an airport or a phone in a taxi, the data should be unreadable without the credentials.

Example 1: For Windows laptops, enable BitLocker via GPO at Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives → "Require additional authentication at startup". Set it to require TPM + PIN. Store BitLocker recovery keys in Active Directory by enabling "Store BitLocker recovery information in AD DS".

Example 2: For iOS and Android devices managed through Intune, create a Device Configuration Profile under Devices → Configuration Profiles → Create Profile → Device Restrictions. For iOS, encryption is on by default when a passcode is set — enforce a 6-digit passcode. For Android, enable "Require encryption on device" in the compliance policy. Devices that fail the encryption check are blocked from accessing company resources.