800-53|AC-19(5)

Title

FULL DEVICE / CONTAINER-BASED ENCRYPTION

Description

The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].

Supplemental

Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields.

Reference Item Details

Related: MP-5,SC-13,SC-28

Category: ACCESS CONTROL

Parent Title: ACCESS CONTROL FOR MOBILE DEVICES

Family: ACCESS CONTROL

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.15 - AirWatch - Enable 'Encrypt phone'MDMAirWatch - CIS Google Android 4 v1.0.0 L1
1.1.15 - MobileIron - Enable 'Encrypt phone'MDMMobileIron - CIS Google Android 4 v1.0.0 L1
1.9 Ensure 'Encrypt phone' or 'Encrypt tablet' is set to EnabledMDMAirWatch - CIS Google Android 7 v1.0.0 L1
1.9 Ensure 'Encrypt phone' or 'Encrypt tablet' is set to EnabledMDMMobileIron - CIS Google Android 7 v1.0.0 L1
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'WindowsCIS Microsoft Windows 11 Enterprise v2.0.0 BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v2.0.0 BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v2.0.0 L2 + BL + NG
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v2.0.0 L2 + BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'WindowsCIS Microsoft Windows 11 Enterprise v2.0.0 L2 + BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'WindowsCIS Microsoft Windows 11 Enterprise v2.0.0 L1 + BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL + NG
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'WindowsCIS Microsoft Windows 10 EMS Gateway v2.0.0 L1
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL + NG
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 11 Stand-alone v2.0.0 L2 + BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 11 Stand-alone v2.0.0 BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 10 Stand-alone v2.0.0 L2 + BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 11 Stand-alone v2.0.0 L1 + BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 10 Stand-alone v2.0.0 L2 + BL + NG
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 10 Stand-alone v2.0.0 BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'WindowsCIS Microsoft Windows 11 Enterprise v2.0.0 L2 + BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v2.0.0 BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v2.0.0 L2 + BL + NG
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v2.0.0 L2 + BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL + NG
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'WindowsCIS Microsoft Windows 11 Enterprise v2.0.0 L1 + BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'WindowsCIS Microsoft Windows 10 EMS Gateway v2.0.0 L1
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'WindowsCIS Microsoft Windows 11 Enterprise v2.0.0 BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 11 Stand-alone v2.0.0 L2 + BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 10 Stand-alone v2.0.0 BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL + NG
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 11 Stand-alone v2.0.0 L1 + BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 11 Stand-alone v2.0.0 BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 10 Stand-alone v2.0.0 L2 + BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' - DisabledWindowsCIS Microsoft Windows 10 Stand-alone v2.0.0 L2 + BL + NG
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Microsoft Intune for Windows 11 v2.0.0 L1 + BL
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Microsoft Intune for Windows 10 v2.0.0 L2 + BL + NG
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Microsoft Intune for Windows 11 v2.0.0 L2 + BL
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Microsoft Intune for Windows 11 v2.0.0 BitLocker
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Microsoft Intune for Windows 10 v2.0.0 L1 + BL
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Microsoft Intune for Windows 10 v2.0.0 L2 + BL
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Microsoft Intune for Windows 10 v2.0.0 Bitlocker
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Microsoft Intune for Windows 11 v2.0.0 L1 + BL + NG
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Microsoft Intune for Windows 10 v2.0.0 L1 + BL + NG
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Microsoft Intune for Windows 11 v2.0.0 L2 + BL + NG
18.10.9.2.11 Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'WindowsCIS Microsoft Windows 11 Enterprise v2.0.0 L2 + BL
18.10.9.2.11 Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'WindowsCIS Microsoft Windows 11 Enterprise v2.0.0 BL