SC-28 / MP-5 / IA-5 / A.8.3.1 / CIS-3.10 NIST SP 800-53 Rev 5

Encryption + passcode enforced

Demonstrate that all mobile devices and endpoints with access to organizational data are configured to require both device-level encryption and a passcode or biometric authentication mechanism, and that these configurations are actively enforced and monitored.

Description

What this control does

This control requires that mobile devices and endpoints accessing organizational data enforce both encryption at rest and a passcode or biometric lock. Encryption protects data confidentiality if a device is lost or stolen, while passcode enforcement prevents unauthorized physical access. The combination addresses both data-at-rest protection and device access control, typically enforced through mobile device management (MDM) solutions or endpoint configuration policies.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Unauthorized access to organizational data on lost or stolen unencrypted devices
Exposure of sensitive information through physical device access without authentication barriers
Data breach resulting from theft of unlocked or passcode-free devices in public or transit environments
Compliance violations (HIPAA, PCI DSS, GDPR) due to inadequate protection of personal or regulated data on mobile endpoints
Lateral movement by attackers who gain physical access to unlocked corporate devices
Exfiltration of cached credentials, session tokens, or application data from unencrypted storage
Insider threat exploitation through borrowing or accessing unattended devices without passcode protection

Testing procedure

How an auditor verifies this control

Obtain the current mobile device management (MDM) or endpoint management configuration policy documentation and baseline settings.
Review MDM console configuration profiles to verify encryption requirements are set to 'required' or 'enforced' for all enrolled device platforms (iOS, Android, Windows, macOS).
Review MDM console passcode policy settings to confirm minimum complexity requirements (length, alphanumeric, expiration) and lockout thresholds are configured.
Generate a compliance report from the MDM console listing all enrolled devices and their encryption and passcode enforcement status as of the audit date.
Select a representative sample of at least 15-20 devices across different platforms and user roles from the compliance report.
For each sampled device, verify encryption status through MDM console device detail view or remote query command (e.g., FileVault status, BitLocker status, Android encryption flag).
For each sampled device, verify passcode is enforced by reviewing last passcode-set date, compliance status flag, and any non-compliance incidents logged in the MDM system.
Interview IT administrators to confirm non-compliant devices are quarantined or denied access to organizational resources until remediated, and review evidence of enforcement actions taken in the past 90 days.

Evidence required MDM configuration policy exports showing encryption and passcode requirements. Compliance reports from the MDM console listing device encryption status, passcode enforcement status, and compliance state for all enrolled devices. Screenshots or query results for sampled devices showing encryption enabled and passcode configured. Incident logs or quarantine actions taken against non-compliant devices.

Pass criteria All sampled devices demonstrate both encryption enabled and passcode enforcement active, MDM policies mandate these requirements without exceptions for general-use devices, and compliance monitoring with remediation processes are documented and operational.

Where this control is tested

Audit programs including this control

MDM Coverage Audit

Mobile devices accessing corporate data should be managed. Quick audit on enrolment, posture and wipe capability.