myctrl.tools
Compare

SC-42Sensor Capability And Data

>Control Description

a

Prohibit [Selection (one or more): the use of devices possessing organization-defined environmental sensing capabilities in organization-defined facilities, areas, or systems; the remote activation of environmental sensing capabilities on organizational systems or system components with the following exceptions: organization-defined exceptions where remote activation of sensors is allowed]; and

b

Provide an explicit indication of sensor use to organization-defined group of users.

>Control Enhancements(5)

SC-42(1)
SC-42(2)
SC-42(3)
SC-42(4)
SC-42(5)

>Cross-Framework Mappings

SCF

END-13
Compare

>Supplemental Guidance

Sensor capability and data applies to types of systems or system components characterized as mobile devices, such as cellular telephones, smart phones, and tablets. Mobile devices often include sensors that can collect and record data regarding the environment where the system is in use. Sensors that are embedded within mobile devices include microphones, cameras, Global Positioning System (GPS) mechanisms, and accelerometers.

While the sensors on mobiles devices provide an important function, if activated covertly, such devices can potentially provide a means for adversaries to learn valuable information about individuals and organizations. For example, remotely activating the GPS function on a mobile device could provide an adversary with the ability to track the movements of an individual. Organizations may prohibit individuals from bringing cellular telephones or digital cameras into certain designated facilities or controlled areas within facilities where classified information is stored or sensitive conversations are taking place.

>Related Controls

SC-15

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of sensor capability and data?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-42?

Technical Implementation:

  • How is sensor capability and data technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that sensor capability and data remains effective as the system evolves?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-42?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?

Ask AI

Configure your API key to use AI features.