800-53|AC-19(5)

Title

FULL DEVICE / CONTAINER-BASED ENCRYPTION

Description

The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].

Supplemental

Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: MP-5,SC-13,SC-28

Category: ACCESS CONTROL

Parent Title: ACCESS CONTROL FOR MOBILE DEVICES

Family: ACCESS CONTROL

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.15 - AirWatch - Enable 'Encrypt phone'	MDM	AirWatch - CIS Google Android 4 v1.0.0 L1
1.1.15 - MobileIron - Enable 'Encrypt phone'	MDM	MobileIron - CIS Google Android 4 v1.0.0 L1
1.9 Ensure 'Encrypt phone' or 'Encrypt tablet' is set to Enabled	MDM	AirWatch - CIS Google Android 7 v1.0.0 L1
1.9 Ensure 'Encrypt phone' or 'Encrypt tablet' is set to Enabled	MDM	MobileIron - CIS Google Android 7 v1.0.0 L1
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Enterprise v2.0.0 BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L2 + BL + NG
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L2 + BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Enterprise v2.0.0 L2 + BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL + NG
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 EMS Gateway v2.0.0 L1
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Enterprise v2.0.0 L1 + BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL + NG
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows 11 Stand-alone v2.0.0 L2 + BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows 11 Stand-alone v2.0.0 BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L2 + BL + NG
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L2 + BL
18.10.9.1.1 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows 11 Stand-alone v2.0.0 L1 + BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Enterprise v2.0.0 L1 + BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Enterprise v2.0.0 L2 + BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L2 + BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L2 + BL + NG
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL + NG
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 EMS Gateway v2.0.0 L1
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Enterprise v2.0.0 BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows 11 Stand-alone v2.0.0 L2 + BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL + NG
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows 11 Stand-alone v2.0.0 L1 + BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows 11 Stand-alone v2.0.0 BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L2 + BL
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L2 + BL + NG
18.10.9.1.10 Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'	Windows	CIS Microsoft Intune for Windows 11 v2.0.0 L2 + BL
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'	Windows	CIS Microsoft Intune for Windows 10 v2.0.0 L1 + BL
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'	Windows	CIS Microsoft Intune for Windows 10 v2.0.0 L2 + BL + NG
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'	Windows	CIS Microsoft Intune for Windows 11 v2.0.0 BitLocker
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'	Windows	CIS Microsoft Intune for Windows 11 v2.0.0 L1 + BL
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'	Windows	CIS Microsoft Intune for Windows 10 v2.0.0 L1 + BL + NG
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'	Windows	CIS Microsoft Intune for Windows 10 v2.0.0 L2 + BL
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'	Windows	CIS Microsoft Intune for Windows 10 v2.0.0 Bitlocker
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'	Windows	CIS Microsoft Intune for Windows 11 v2.0.0 L2 + BL + NG
18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'	Windows	CIS Microsoft Intune for Windows 11 v2.0.0 L1 + BL + NG
18.10.9.2.11 Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Enterprise v2.0.0 BL
18.10.9.2.11 Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Enterprise v2.0.0 L2 + BL

Detections

Analytics