Navigate

CCI-002328

CCI-002328 Definition

Restrict the connection of classified mobile devices to classified systems in accordance with organization-defined security policies.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if the connection of classified mobile devices to classified systems is restricted in accordance with [AC-19(04)_ODP[02]; security policies restricting the connection of classified mobile devices to classified systems are defined].

Validation Procedures

Examine: [SELECT FROM: Access control policy; incident handling policy; procedures addressing access control for mobile devices; system design documentation; system configuration settings and associated documentation; evidentiary documentation for random inspections and reviews of mobile devices; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel responsible for random reviews/inspections of mobile devices; organizational personnel using mobile devices in facilities containing systems processing, storing, or transmitting classified information; organizational personnel with incident response responsibilities; system/network administrators; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Mechanisms prohibiting the use of internal or external modems or wireless interfaces with mobile devices].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-002328.

Control	Description
AC-19(4)	(a): Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and (b): Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information: (1): Connection of unclassified mobile devices to classified systems is prohibited; (2): Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official; (3): Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and (4): Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [security officials responsible for the review and inspection of unclassified mobile devices and the information stored on those devices are defined;] , and if classified information is found, the incident handling policy is followed. (c): Restrict the connection of classified mobile devices to classified systems in accordance with [security policies restricting the connection of classified mobile devices to classified systems are defined;].

Control

Description

AC-19(4)

(a): Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and

(b): Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information:
- (1): Connection of unclassified mobile devices to classified systems is prohibited;
- (2): Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official;
- (3): Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
- (4): Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [security officials responsible for the review and inspection of unclassified mobile devices and the information stored on those devices are defined;] , and if classified information is found, the incident handling policy is followed.

(c): Restrict the connection of classified mobile devices to classified systems in accordance with [security policies restricting the connection of classified mobile devices to classified systems are defined;].