Navigate

CCI-001330

CCI-001330 Definition

Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information is prohibited unless specifically permitted by the authorizing official.

Validation Procedures

Examine: [SELECT FROM: Access control policy; incident handling policy; procedures addressing access control for mobile devices; system design documentation; system configuration settings and associated documentation; evidentiary documentation for random inspections and reviews of mobile devices; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel responsible for random reviews/inspections of mobile devices; organizational personnel using mobile devices in facilities containing systems processing, storing, or transmitting classified information; organizational personnel with incident response responsibilities; system/network administrators; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Mechanisms prohibiting the use of internal or external modems or wireless interfaces with mobile devices].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001330.

Control	Description
AC-19(4)	(a): Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and (b): Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information: (1): Connection of unclassified mobile devices to classified systems is prohibited; (2): Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official; (3): Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and (4): Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [security officials responsible for the review and inspection of unclassified mobile devices and the information stored on those devices are defined;] , and if classified information is found, the incident handling policy is followed. (c): Restrict the connection of classified mobile devices to classified systems in accordance with [security policies restricting the connection of classified mobile devices to classified systems are defined;].

Control

Description

AC-19(4)

(a): Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and

(b): Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information:
- (1): Connection of unclassified mobile devices to classified systems is prohibited;
- (2): Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official;
- (3): Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
- (4): Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [security officials responsible for the review and inspection of unclassified mobile devices and the information stored on those devices are defined;] , and if classified information is found, the incident handling policy is followed.

(c): Restrict the connection of classified mobile devices to classified systems in accordance with [security policies restricting the connection of classified mobile devices to classified systems are defined;].