myctrl.tools
Compare

AC-7(2)Purge Or Wipe Mobile Device

>Control Description

Purge or wipe information from organization-defined mobile devices based on organization-defined purging or wiping requirements and techniques after organization-defined number consecutive, unsuccessful device logon attempts.

>Cross-Framework Mappings

SCF

MDM-05
Compare

>Supplemental Guidance

A mobile device is a computing device that has a small form factor such that it can be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Purging or wiping the device applies only to mobile devices for which the organization-defined number of unsuccessful logons occurs. The logon is to the mobile device, not to any one account on the device.

Successful logons to accounts on mobile devices reset the unsuccessful logon count to zero. Purging or wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms.

>Related Controls

AC-19
MP-5
MP-6

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AC-7(2) (Purge Or Wipe Mobile Device)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AC-7(2)?
  • How frequently is the AC-7(2) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AC-7(2)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AC-7(2) requirements.
  • What automated tools, systems, or technologies are deployed to implement AC-7(2)?
  • How is AC-7(2) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AC-7(2) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AC-7(2)?
  • What audit logs, records, reports, or monitoring data validate AC-7(2) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AC-7(2) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AC-7(2) compliance?

Ask AI

Configure your API key to use AI features.