Under what conditions may CUI be stored on personal devices?

Storing CUI on a personal device is allowed only when there is explicit authorization in policy and the device meets specific safeguards. In practice, this means the organization must authorize personal-device use for CUI and require protections such as encryption of data at rest and in transit, strong access controls (including multi-factor authentication and least-privilege access), formal approvals from the information owner, and ongoing protections like device management, timely patching, and the ability to remotely wipe or terminate access if the device is lost or compromised. These measures ensure CUI remains protected even outside traditional work devices and provide auditable assurances that risk is being managed. The idea that CUI can always be stored on personal devices with only a password isn’t enough because passwords alone can be compromised, especially if a device is lost or stolen. The notion that it’s never allowed ignores the reality that many organizations permit BYOD under controlled conditions. The suggestion that it’s allowed only on company-owned devices misses the scenario being considered and ignores the explicit policy and safeguards required for personal devices.