GRCWatch
Sign inStart free trial

CIS Control 3.6: Encrypt Data on End-User Devices

End-user devices are primary targets for data theft and breach. CIS Control 3.6 requires encryption of sensitive data at rest on laptops, desktops, and mobile devices to prevent unauthorized access if hardware is lost or compromised. This control is foundational for any organization handling regulated data.

What this means

Control 3.6 mandates full-disk or partition encryption on all end-user devices that store, process, or access sensitive data. This ensures that even if a device is physically stolen or accessed without authorization, encrypted data remains unreadable without the decryption key. Common implementations include Windows BitLocker for enterprise environments, Apple FileVault for macOS systems, and Linux dm-crypt for Linux distributions. Encryption must be enabled by default and managed centrally where possible.

How to comply

  1. 1.Enable BitLocker on all Windows endpoints via Group Policy or Mobile Device Management (MDM)
  2. 2.Activate FileVault 2 on all macOS devices and enforce recovery key escrow
  3. 3.Configure dm-crypt or LUKS encryption on Linux systems during OS deployment
  4. 4.Ensure encryption keys are generated securely and not stored on the encrypted device
  5. 5.Implement centralized key management or recovery processes for lost passphrases
  6. 6.Verify encryption status across all devices through regular audits and compliance reports
  7. 7.Document encryption configurations and maintain an inventory of encrypted vs. unencrypted endpoints

Evidence auditors look for

  • Enabled BitLocker status report showing percentage of compliant Windows devices
  • FileVault activation screenshot with recovery keys securely stored in MDM platform
  • Group Policy Objects (GPOs) configured to enforce encryption at device enrollment
  • Mobile Device Management (MDM) compliance dashboard showing encryption compliance by OS
  • Third-party encryption audit reports verifying full-disk encryption across endpoints
  • Device inventory spreadsheet documenting encryption method and status per device
  • Incident response logs showing encrypted device recovery procedures

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically detects unencrypted devices across your fleet, generates compliance evidence for audits, and tracks encryption status in a single dashboard—eliminating manual device inventories and spreadsheet management.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Control 3.1 — Identify and Inventory All Forms of Sensitive DataCIS Control 3.4 — Use Data Loss Prevention (DLP)CIS Control 3.11 — Encrypt Data on Mobile End PointsCIS Control 6.1 — Establish an Access Control Framework