AC-19 (05)—Access Control for Mobile Devices | Full Device or Container-based Encryption

Moderate

High

>Control Description

Employ ☑full-device encryption; container-based encryption to protect the confidentiality and integrity of information on ⚙organization-defined mobile devices.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What formal policies and procedures govern the implementation of AC-19(5) (Full Device Or Container-Based Encryption)?
•Who are the designated roles responsible for implementing, maintaining, and monitoring AC-19(5)?
•How frequently is the AC-19(5) policy reviewed and updated, and what triggers policy changes?
•What training or awareness programs ensure personnel understand their responsibilities related to AC-19(5)?

Technical Implementation:

•Describe the specific technical mechanisms or controls used to enforce AC-19(5) requirements.
•What automated tools, systems, or technologies are deployed to implement AC-19(5)?
•How is AC-19(5) integrated into your system architecture and overall security posture?
•What configuration settings, parameters, or technical specifications enforce AC-19(5) requirements?

Evidence & Documentation:

•What documentation demonstrates the complete implementation of AC-19(5)?
•What audit logs, records, reports, or monitoring data validate AC-19(5) compliance?
•Can you provide evidence of periodic reviews, assessments, or testing of AC-19(5) effectiveness?
•What artifacts would you present during a FedRAMP assessment to demonstrate AC-19(5) compliance?

Ask AI

Configure your API key to use AI features.