Navigate

CCI-001334

CCI-001334 Definition

The organization requires that unclassified mobile devices used in facilities containing information systems processing, storing, or transmitting classified information and the information stored on those devices be subject to random reviews and inspections by organization-defined security officials.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents and implements a process to require that unclassified mobile devices used in facilities containing information systems processing, storing, or transmitting classified information and the information stored on those devices are subject to random reviews and inspections by the ISSM/ISSO. DoD has defined the security officials as the ISSM/ISSO.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires that unclassified mobile devices used in facilities containing information systems processing, storing, or transmitting classified information and the information stored on those devices are subject to random reviews and inspections by the ISSM/ISSO. DoD has defined the security officials as the ISSM/ISSO.

Compelling Evidence

1.) Signed and dated system security plan (SSP) and/or standard operating procedure (SOP) that describes how the site requires that unclassified mobile devices used in facilities containing information systems processing, storing, or transmitting classified information and the information stored on those devices are subject to random reviews and inspections by the ISSM/ISSO.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001334.

Control	Description
AC-19 (4)	The organization: AC-19 (4)(a): Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and AC-19 (4)(b): Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information: AC-19 (4)(b)(1): Connection of unclassified mobile devices to classified information systems is prohibited; AC-19 (4)(b)(2): Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official; AC-19 (4)(b)(3): Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and AC-19 (4)(b)(4): Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed. AC-19 (4)(c): Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies].

Control

Description

AC-19 (4)

The organization:

AC-19 (4)(a): Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and

AC-19 (4)(b): Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
- AC-19 (4)(b)(1): Connection of unclassified mobile devices to classified information systems is prohibited;
- AC-19 (4)(b)(2): Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
- AC-19 (4)(b)(3): Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
- AC-19 (4)(b)(4): Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.

AC-19 (4)(c): Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies].