SC-42: Sensor Capability and Data
Control Family:
Threats Addressed:
Baselines:
- Low
N/A
- Moderate
N/A
- High
N/A
- Privacy
N/A
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- SC-42: Sensor Capability And Data
Incorporates the following control from the previous version: SC-42(3): Prohibit Use Of Devices.
Control Statement
- Prohibit [Assignment (one or more): the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems] , the remote activation of environmental sensing capabilities on organizational systems or system components with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed] ]; and
- Provide an explicit indication of sensor use to [Assignment: organization-defined class of users].
Supplemental Guidance
Sensor capability and data applies to types of systems or system components characterized as mobile devices, such as cellular telephones, smart phones, and tablets. Mobile devices often include sensors that can collect and record data regarding the environment where the system is in use. Sensors that are embedded within mobile devices include microphones, cameras, Global Positioning System (GPS) mechanisms, and accelerometers. While the sensors on mobiles devices provide an important function, if activated covertly, such devices can potentially provide a means for adversaries to learn valuable information about individuals and organizations. For example, remotely activating the GPS function on a mobile device could provide an adversary with the ability to track the movements of an individual. Organizations may prohibit individuals from bringing cellular telephones or digital cameras into certain designated facilities or controlled areas within facilities where classified information is stored or sensitive conversations are taking place.
Control Enhancements
SC-42(1): Reporting to Authorized Individuals or Roles
Baseline(s):
Verify that the system is configured so that data or information collected by the [Assignment: organization-defined sensors] is only reported to authorized individuals or roles.
SC-42(2): Authorized Use
Baseline(s):
Employ the following measures so that data or information collected by [Assignment: organization-defined sensors] is only used for authorized purposes: [Assignment: organization-defined measures].
SC-42(4): Notice of Collection
Baseline(s):
Employ the following measures to facilitate an individual’s awareness that personally identifiable information is being collected by [Assignment: organization-defined sensors]: [Assignment: organization-defined measures].
SC-42(5): Collection Minimization
Baseline(s):
Employ [Assignment: organization-defined sensors] that are configured to minimize the collection of information about individuals that is not needed.