Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
Authorizes wireless access to the information system prior to allowing such connections.
Supplemental Guidance: Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Related controls: AC-2, AC-3, AC-17, AC-19, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, PL-4, SI-4.
Control Enhancements:
wireless access | authentication and encryption
The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption.
Supplemental Guidance: Related controls: SC-8, SC-13.
The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.
Supplemental Guidance: Related control: AC-19.
wireless access | restrict configurations by users
The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.
Supplemental Guidance: Organizational authorizations to allow selected users to configure wireless networking capability are enforced in part, by the access enforcement mechanisms employed within organizational information systems. Related controls: AC-3, SC-15.
wireless access | antennas / transmission power levels
The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries.
Supplemental Guidance: Actions that may be taken by organizations to limit unauthorized use of wireless communications outside of organization-controlled boundaries include, for example: (i) reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be used by adversaries outside of the physical perimeters of organizations; (ii) employing measures such as TEMPEST to control wireless emanations; and (iii) using directional/beam forming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational information systems as well as other systems that may be operating in the area. Related control: PE-19.
References: NIST Special Publications 800-48, 800-94, 800-97.
Priority and Baseline Allocation:
P1
LOW AC-18
MOD AC-18 (1)
HIGH AC-18 (1) (4) (5)
AC-19 ACCESS CONTROL FOR MOBILE DEVICES
Control: The organization:
Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and
Authorizes the connection of mobile devices to organizational information systems.
Supplemental Guidance: A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled. Related controls: AC-3, AC-7, AC-18, AC-20, CA-9, CM-2, IA-2, IA-3, MP-2, MP-4, MP-5, PL-4, SC-7, SC-43, SI-3, SI-4.
Control Enhancements:
access control for mobile devices | use of writable / portable storage devices
[Withdrawn: Incorporated into MP-7].
access control for mobile devices | use of personally owned portable storage devices
[Withdrawn: Incorporated into MP-7].
access control for mobile devices | use of portable storage devices with no identifiable owner
[Withdrawn: Incorporated into MP-7].
access control for mobile devices | restrictions for classified information
The organization:
Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
Connection of unclassified mobile devices to classified information systems is prohibited;
Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies].
Supplemental Guidance: Related controls: CA-6, IR-4.
access control for mobile devices | full device / container-based encryption
The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].
Supplemental Guidance: Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields. Related controls: MP-5, SC-13, SC-28.
References: OMB Memorandum 06-16; NIST Special Publications 800-114, 800-124, 800-164.