@4sleddogs with NIST SP 800-171, it is very specifically stated now as to how Contractors should handle CDI on Smartphones and Tablets.This basically outlines three points for clarification.
1. Multifactor authentication is not required for access to the smartphone or tablet, regardless of whether CDI is stored on the device or the device is merely used to access systems with CDI.
2. When CDI is stored on the device, such information must be encrypted to segregate it from the other information on the device.
3. When the device is used to access information systems with CDI, the information system must be protected by multifactor authentication, which can be entered through the device.
For those who don't know, CDI stands for covered defense information. Also refer http://jmp.sh/WpPibks in case anyone missed.