GRCWatch
Sign inStart free trial

NIST SP 800-171 Control 3.1.18: Mobile Device Connection

Mobile devices introduce significant risk to controlled unclassified information (CUI) if connections aren't properly managed. Control 3.1.18 requires organizations to establish and enforce policies that govern how mobile devices connect to systems and networks storing or processing CUI. This control is essential for SMBs handling sensitive government or defense contractor data.

What this means

Control 3.1.18 mandates that organizations establish mechanisms to restrict, monitor, and manage connections from mobile devices to information systems. This includes defining which mobile devices are permitted, requiring authentication and encryption, limiting functionality (such as disabling file transfer or camera access), and ensuring that unapproved devices cannot access CUI. The control recognizes that mobile devices operate outside traditional network perimeters and require explicit connection policies.

How to comply

  1. 1.Develop a mobile device policy specifying approved device types, operating systems, and minimum security requirements
  2. 2.Implement mobile device management (MDM) or enterprise mobility management (EMM) solutions to enforce policies centrally
  3. 3.Require strong authentication (multi-factor authentication) for all mobile device connections to systems
  4. 4.Mandate encryption for data at rest and in transit on approved mobile devices
  5. 5.Configure network access controls to block or isolate unapproved devices at the gateway level
  6. 6.Disable unnecessary mobile device capabilities (camera, USB, Bluetooth) for sensitive environments or limit them by policy
  7. 7.Establish a mobile device inventory and approval process before connection is permitted
  8. 8.Monitor and log all mobile device connections and activities for audit and incident response
  9. 9.Conduct regular security assessments of approved mobile devices and update policies as threats evolve

Evidence auditors look for

  • Documented mobile device security policy covering connection requirements and restrictions
  • MDM/EMM platform configuration showing device approval, encryption, and authentication settings
  • Network logs showing enforcement of mobile device connection controls and access denials
  • Mobile device inventory with approved device list and associated security configurations
  • Audit reports demonstrating monitoring of mobile device connections and compliance violations
  • Multi-factor authentication implementation records for mobile device access
  • Device capability restriction logs (e.g., disabled camera, USB, or file transfer features)
  • Risk assessment documenting mobile device threats and mitigation controls

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates mobile device inventory tracking, policy enforcement logs, and connection audit trails in a single dashboard, eliminating manual spreadsheets and reducing the time needed to prove 3.1.18 compliance to auditors.

See how GRCWatch handles this control automatically

Start free trial

Related controls

3.1.1 Authorized Access3.1.2 User Actions3.2.1 Information System Monitoring3.2.5 Access Restrictions3.4.7 Operating System Monitoring