CMMC Mobile Security: A Guide to Compliance for Enterprise Organizations

Just about every organization works with some amount of sensitive information, but the defense industry’s information is more sensitive than most. That’s why the United States Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC). This cybersecurity model helps protect controlled data in the defense industry — and, by extension, the military personnel who rely on that data to stay productive and safe. Defense contractors must comply with this program, and that means developing a CMMC mobile security strategy.

While mobile security is a vital part of CMMC compliance, the written guidelines are not as explicit as they could be. In fact, the CMMC Model Overview mentions only three mobile-specific requirements, and doesn’t go into great detail on any of them. To lock down your organization's data on smartphones and tablets, you’ll need to implement mobile-specific cybersecurity solutions and ensure that your overall security framework is ironclad. It’s no exaggeration to say that people’s lives may depend on it.

‍

What is CMMC mobile security?

What is CMMC? Briefly, the Cybersecurity Maturity Model Certification is a government standard for organizations in the Defense Industrial Base (DIB) sector. The DoD implemented the first version of CMMC in 2020, but the underlying principles go back decades. Because DIB contractors work with controlled federal and military information, they’re often tempting targets for cybercriminals — to say nothing of hostile foreign governments and terrorist organizations.

Previously, the CMMC employed five different levels of compliance, depending on how sensitive a contractor’s data was. However, the DoD recently revised the CMMC’s guidelines and is currently rolling out a new version of the model. The CMMC Model 2.0 has three different levels, with more stringent demands as they increase:

• Level 1 has 15 different model requirements, plus an annual self-assessment.
• Level 2 has 110 different model requirements, plus a triennial self-assessment and third-party assessment.
• Level 3 has more than 110 different model requirements, plus a triennial government-led assessment.

The CMMC defines a mobile device as “a portable computing device that has a small form factor … [can] wirelessly transmit or receive information … possesses local, non-removable data storage, [and] is powered on for extended periods of time with a self-contained power source.” This definition includes smartphones and tablets, but excludes laptops.

Level 2 or 3 CMMC certification requires organizations to:

• control mobile device connections; 
• encrypt controlled unclassified information (CUI) on mobile;
• and protect mobile code.

The language is purposely broad, giving individual organizations some latitude in how they satisfy the CMMC’s conditions.

‍

How to comply with CMMC regulations

Enforcing CMMC mobile security involves some general cybersecurity strategies and some mobile-specific steps. Generally speaking, you’ll need to control mobile access at your organization, encrypt sensitive data, and regularly test your network for potential security holes.

Enforce mobile security policies

To check CMMC security requirements, you can go directly to the source. The DoD’s CMMC Assessment Guide provides specific, actionable steps for mobile device security at DIB organizations. The section on mobile device connection, for example, requires that organizations can properly identify, authorize, and monitor smartphones and tablets that can access controlled information. The DoD requires organizations to employ up-to-date antivirus programs and firewalls. Each mobile device’s operating system must be fully patched, and users may even have to disable potentially compromising features, such as near field communication (NFC) connections.

Other sections cover the risks of unencrypted files, overly permissive VPNs, and outdated plugins. 

Implement MDM solutions

Mobile device management (MDM) can be an integral part of your CMMC security strategy. With an MDM solution, you can keep operating systems updated, block potentially malicious applications, and wipe lost devices remotely. These features fulfill many CMMC requirements. You can also go one step further with a comprehensive mobile endpoint security solution. This technology can help employees avoid malicious websites, reject phishing attempts, and use their mobile devices in a responsible manner.

The CMMC requires organizations to monitor and control the use of mobile devices, and MDM provides a straightforward way to do so. Just be sure to choose a solution that balances data security with employee privacy.

Assess and improve your security posture

If you read through CMMC compliance documentation, only a few sections are dedicated to mobile security. You will, however, find dozens of pages dedicated to general best practices in cybersecurity. Most of the DoD’s recommendations should sound familiar to seasoned IT professionals:

• Monitor who logs into your network.
• Encrypt your sensitive data.
• Operate under zero-trust principles.
• Limit the use of portable external storage devices.
• Audit your systems frequently.
• Require administrative privileges to install new software.
• Employ multi-factor authentication (MFA).
• Regularly back up your data.
• Allow only authorized personnel on premises.
• Devise a plan in case of a breach.
• Keep all software and hardware up to date.
• Train your employees to follow your organization’s cybersecurity rules.

This is not an exhaustive list of CMMC requirements, but if your organization already follows these principles, you’ll start from a strong foundation.

‍

Secure your sensitive DIB data with mobile EDR

Your organization's CMMC mobile security strategy should empower both individual employees and your IT department. One way to accomplish this is with a mobile endpoint and detection response (EDR) solution. Lookout Mobile Endpoint Security gives users the tools they need to avoid social engineering and malicious websites. It also provides IT departments with research on the latest mobile threats and uses sophisticated artificial intelligence (AI) algorithms to gauge risky apps.

Read the Lookout e-book The Mobile EDR Playbook: Key Questions for Protecting Your Data to learn more about crafting a smart security plan for smartphones and tablets. You’ll learn how to assess your current cybersecurity framework, mitigate common mobile threats, and craft device-specific countermeasures.

‍