AC-19(4): Restrictions For Classified Information

Control Family:

Access Control

Parent Control:

AC-19: Access Control For Mobile Devices

Priority:

CSF v1.1 References:

Threats Addressed:

Baselines:

(Not part of any baseline)

Next Version:

Control Statement

The organization:

  1. Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
  2. Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
    1. Connection of unclassified mobile devices to classified information systems is prohibited;
    2. Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
    3. Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
    4. Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
  3. Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies].