AC-19: Access Control for Mobile Devices
base control objective:
a. Establishes usage restrictions and implementation guidance for organization-controlled mobile devices;
b. Authorizes connection of mobile devices to organizational information systems;
c. Monitors for unauthorized connections of mobile devices to organizational information systems;
d. Enforces requirements for the connection of mobile devices to organizational information systems;
e. Disables information system functionality that provides the capability for automatic execution of code on removable media without user direction;
f. Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures; and
g. Applies [Assignment: organization-defined inspection and preventative measures] to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.
supplemental objective information:
Organization-controlled mobile devices include those devices for which the organization has the authority to specify and the ability to enforce specific security requirements. Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices). Usage restrictions and implementation guidance related to mobile devices can include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Examples of information system functionality that provide the capability for automatic execution of code are AutoRun and AutoPlay.
Organizational policies and procedures for mobile devices used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific measures to the device after travel is completed. Specially configured mobile devices include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified measures applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family.
enhancements to the base objective:
(1) The organization restricts the use of writable, removable media in organizational information systems.
(2) The organization prohibits the use of personally owned, removable media in organizational information systems.
(3) The organization prohibits the use of removable media in organizational information systems when the media has no identifiable owner.
Enhancement Supplemental Guidance: An identifiable owner (e.g., individual, organization, or project) for removable media helps to reduce the risk of using such technology by assigning responsibility and accountability for addressing known vulnerabilities in the media (e.g., malicious code insertion).
(4) The organization:
(a) Prohibits the use of unclassified mobile devices in a Sensitive Compartmented Information Facilities (SCIFs) unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted to use mobile devices in SCIFs:
- Connection of an unclassified mobile device to a classified information system is prohibited;
- Connection of an unclassified mobile device to an unclassified information system requires written approval from the authorizing official;
- Use of an internal or external modem within the mobile device is prohibited within the SCIF without the written approval of the authorizing official; and
- Mobile devices and the information stored on those devices are subject to random reviews/inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
mapping to FIPS199 baseline:
MOD: base (1) (2) (3)
HIGH: base (1) (2) (3)
related (regimented) controls:
documents referenced in SP800-53rev3 for AC-19: