800-53|AC-19

Title

ACCESS CONTROL FOR MOBILE DEVICES

Description

The organization:

Supplemental

A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.

Reference Item Details

Related: AC-18,AC-20,AC-3,AC-7,CA-9,CM-2,IA-2,IA-3,MP-2,MP-4,MP-5,PL-4,SC-43,SC-7,SI-3,SI-4

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Ensure that multi-factor authentication is enabled for all privileged usersmicrosoft_azureCIS Microsoft Azure Foundations v1.3.1 L1
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
1.2.2 Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
1.2.2 Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
1.2.2 Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
1.2.2 Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
1.2.2 Set 'transport input ssh' for 'line vty' connectionsCiscoCIS Cisco IOS 17 L1 v1.0.0
1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
1.5 Ensure MFA is enabled for the 'root' user accountamazon_awsCIS Amazon Web Services Foundations L1 1.4.0
1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3CiscoCIS Cisco IOS 17 L2 v1.0.0
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3CiscoCIS Cisco IOS 17 L2 v1.0.0
1.6 Ensure hardware MFA is enabled for the 'root' user accountamazon_awsCIS Amazon Web Services Foundations L2 1.4.0
1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console passwordamazon_awsCIS Amazon Web Services Foundations L1 1.4.0
18.8.34.6.1 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.8.34.6.1 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.8.34.6.2 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.8.34.6.2 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.8.34.6.3 Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.8.34.6.4 Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.9.11.1.1 (BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.1.1 (BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.9.11.1.2 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.1.2 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.1.2 Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.9.11.1.3 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.1.3 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.1.3 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.9.11.1.4 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.1.4 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.1.4 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.9.11.1.5 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.1.10 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.1.10 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.9.11.1.11 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.1.11 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.1.11 Ensure 'Configure use of hardware-based encryption for fixed data drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.9.11.1.12 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.1.12 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.1.12 Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.9.11.1.13 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.1.13 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.1.13 Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL