AC.3.020 Control connection of mobile devices.

CMMC Practice AC.3.020: Control connection of mobile devices.

Links to Publicly Available Resources


Organizations should establish guidelines and acceptable practices for the proper configuration and use of mobile devices. First the device must be identified. The availability of a unique identifier is going to depend on the device vendor, and the openness of the vendor’s API, whether or not the device is under EMM/MDM control and, if so, the approach used by the developer of the EMM/MDM. There are many different types of identifiers (e.g., UDID, UUID, Android ID, IMEI, MAC Address, serial number, MDM generated ID) that can be used to identify the device, and an organization must choose an approach that applies under their specific circumstances. Once the device is identified and authenticated, it is checked to ensure it complies with appropriate configuration settings and software versions for the operating system and applications. At the same time the device is checked to ensure anti-virus software is running with current definitions. Finally, hardware configurations are checked to ensure any disallowed features are turned off.