Can we allow personal devices on our CUI network?

Here’s the thing about BYOD: it feels like a gift. Employees love it. Finance loves it. The IT department gets to stop managing a fleet of devices, and suddenly everyone’s happy. Until they’re not.

I’ve watched smart companies make this mistake. A transportation coordinator is bouncing between three moving jobs, personal life bleeding into work life on the same device, the same apps, the same screen. His kid downloads something sketchy on Saturday night. By Monday morning, you have a problem that has nothing to do with moving furniture.

For TSPs handling military household goods moves, this isn’t just an inconvenience story. It’s a compliance story. NIST 800-171 control 3.1.18 requires you to control the connection of mobile devices to your systems. Control 3.13.1 requires you to monitor and protect your organizational communications. The moment you let a personal device touch your Controlled Unclassified Information, that device becomes in-scope, and your CUI boundary suddenly gets fuzzy.

The realistic answer is no. Do not allow BYOD for work involving CUI. Even on personal devices with an independent work enclave. Instead, issue managed devices. Configure them properly. Apply your mobile device management solution. Know exactly what’s on them.

Yes, it costs money. But it costs significantly less than a failed assessment, a data breach, or losing your ability to bid on or be awarded contracts.

Own the devices. Own the problem before it owns you.