Back

Configure mobile device settings in accordance with organizational standards.


CONTROL ID
04600
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Configure mobile devices to enable remote wipe., CC ID: 12212
  • Configure prohibiting the circumvention of security controls on mobile devices., CC ID: 12335
  • Configure Apple iOS to Organizational Standards., CC ID: 09986
  • Configure mobile devices to organizational standards., CC ID: 04639
  • Verify only BlackBerry Enterprise Server e-mail software and e-mail hardware is being used., CC ID: 04601
  • Train BlackBerry handheld device users on the Bluetooth Smart Card Reader's proper usage., CC ID: 04603
  • Verify metamessage software is not installed on BlackBerry handheld devices., CC ID: 04604
  • Configure e-mail messages to not display a signature line stating the message was sent from a Portable Electronic Device., CC ID: 04605
  • Verify only the specific mobile device web browser software is installed., CC ID: 04606
  • Update the software and master keys for mobile Personal Electronic Devices every 30 days., CC ID: 04607
  • Enable content protection on mobile devices., CC ID: 04609
  • Configure the application policy groups for each mobile Personal Electronic Device., CC ID: 04610
  • Configure emergency and critical e-mail notifications so that they are digitally signed., CC ID: 04841
  • Enable data-at-rest encryption on mobile devices., CC ID: 04842
  • Disable the capability to automatically execute code on mobile devices absent user direction., CC ID: 08705
  • Configure environmental sensors on mobile devices., CC ID: 10667


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices. (Security Control: 1195; Revision: 1, Australian Government Information Security Manual)
  • Mobile devices prevent personnel from installing or uninstalling applications once provisioned. (Security Control: 0863; Revision: 3, Australian Government Information Security Manual)
  • Do personal digital assistants have anti-virus and virtual private network software installed? (Table Row XIII.25, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • In the event that an embedded device utilizes mobile code technologies, the embedded device shall provide the capability to enforce a security policy for the usage of mobile code technologies. The security policy shall allow, at a minimum, the following actions for each mobile code technology used o… (13.2.1 ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • The application shall provide the capability to enforce a security policy that allows the device to control execution of mobile code based on the results of an authenticity check prior to the code being executed. (12.2.3 (1) ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Mobile device management should be reviewed by the IT auditor and he/she should, at a minimum, consider the policies and procedures for defining the security baselines and the security configuration. (App A.2, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • In the event that an embedded device utilizes mobile code technologies, the embedded device shall provide the capability to enforce a security policy for the usage of mobile code technologies. The security policy shall allow, at a minimum, the following actions for each mobile code technology used o… (13.2.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • ensuring that mobile devices are subject to similar applicable safeguards. (Information Security Program Bullet 3 Deployment of Protective Measures Against the Identified Threats and Vulnerabilities ¶ 1 Sub-bullet 15, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • The organization will configure all Blackberries according to Secure Mobile Environment standards. (§ 3, DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4)
  • § 2.2 (WIR3250) Ensure that all required wireless e-mail servers and device configuration settings are implemented. App B.1 Row "Erase Storage card when erasing data" under Options Tab - Storage Cards TAB, should be set to check. App B.1 Row "Require Storage Cards to be encrypted" under Options Tab… (§ 2.2 (WIR3250), App B.1 Row "Erase Storage card when erasing data", App B.1 Row "Require Storage Cards to be encrypted", § 3.3.2, § 3.8, § 3.14, App D §2, DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
  • § 2.2 (WIR2250) All required wireless e-mail server and device configuration should be implemented. App B.3 Row "Enable SD Card Encryption", located under Policy Manager/File Encryption Settings, should be set to Enable using check box. App B.3 Row "Encrypt All Files", located under Policy Manager/… (§ 2.2 (WIR2250), App B.3 Row "Enable SD Card Encryption", App B.3 Row "Encrypt All Files", DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • MDM with centralized administration configured and implemented to perform at least the following controls: (§ 5.13.2 ¶ 3(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Any cellular device used to transmit CJI via voice is exempt from the encryption and authentication requirements. (§ 5.13.1.2.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Application of mandatory policy settings on the device (§ 5.13.2 ¶ 3(2)(f), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • When accessing CJI from an authorized mobile device, advanced authentication shall be used by the authorized user unless the access to CJI is indirect as described in Section 5.6.2.2.1. If access is indirect, then AA is not required. (§ 5.13.7.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Configured to use a secure authenticator (i.e. password, PIN) to unlock the key for use (§ 5.13.7.3 ¶ 2(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Application of mandatory policy settings on the device (§ 5.13.2 ¶ 3 2.f., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Setting and locking device configuration (§ 5.13.2 ¶ 3 2.c., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Remote locking of device (§ 5.13.2 ¶ 3 2.a., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., FedRAMP Security Controls High Baseline, Version 5)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., FedRAMP Security Controls Low Baseline, Version 5)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Use of the PSTN for out-of-band verification is RESTRICTED as described in this section and in Section 5.2.10. If out-of-band verification is to be made using the PSTN, the verifier SHALL verify that the pre-registered telephone number being used is associated with a specific physical device. Changi… (5.1.3.3 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., TX-RAMP Security Controls Baseline Level 1)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., TX-RAMP Security Controls Baseline Level 2)