>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.1.18Access Control - Derived

Derived Requirement

>Control Description

Control connection of mobile devices.

>Discussion

A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, or built-in features for synchronizing local data with remote locations. Examples of mobile devices include smart phones, e-readers, and tablets.

Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different types of devices. Usage restrictions and implementation guidance for mobile devices include: device identification and authentication; configuration management; implementation of mandatory protective software (e.g., malicious code detection, firewall); scanning devices for malicious code; updating virus protection software; scanning for critical software updates and patches; conducting primary operating system (and possibly other resident software) integrity checks; and disabling unnecessary hardware (e.g., wireless, infrared). The need to provide adequate security for mobile devices goes beyond this requirement.

Many controls for mobile devices are reflected in other CUI security requirements. [SP 800-124] provides guidance on mobile device security.

>Cross-Framework Mappings

CMMC

AC.L2-3.1.18
Compare

SCF

MDM-01
Compare
MDM-02
Compare
MDM-06
Compare
MDM-07
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern account management for information systems?
  • What procedures address account creation, modification, and termination?
  • Who approves different types of accounts (user, admin, service)?
  • How often are accounts reviewed for appropriateness?
  • What governance ensures terminated accounts are disabled promptly?

Technical Implementation:

  • What account management systems and workflows are implemented?
  • How do you automate account provisioning and deprovisioning?
  • What controls enforce account approval requirements?
  • How are dormant or unused accounts identified and disabled?
  • What mechanisms link account lifecycle to HR systems?

Evidence & Documentation:

  • Can you provide account creation approval records?
  • What audit logs track account creation, modification, and deletion?
  • Can you show evidence of regular account reviews?
  • What reports identify dormant accounts and remediation?
  • What documentation proves terminated employee accounts are disabled?

Ask AI

Configure your API key to use AI features.