NIST 800-53 REV 5 • ACCESS CONTROL

AC-19(5)Full Device or Container-based Encryption

Employ {{ insert: param, ac-19.05_odp.01 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields.

Practitioner Notes

Mobile devices accessing organizational data must use full-device or container-based encryption. If the device is lost or stolen, the data should be unreadable.

Example 1: In Intune, create a compliance policy requiring device encryption. For Windows, verify BitLocker is enabled. For iOS, encryption is on by default when a passcode is set. For Android, require full-device encryption. Non-compliant devices are blocked from M365.

Example 2: For BYOD scenarios, use Intune's App Protection Policies to create an encrypted container for organizational data. Apps like Outlook and Teams run inside a managed container with its own encryption, separate from personal data. If the employee leaves, you wipe the container without touching personal data.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management