DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
A mobile device is a computing device that has a small form factor such that it can easily be
carried by a single individual; is designed to operate without a physical connection (e.g.,
wirelessly transmit or receive information); possesses local, non-removable or removable
data storage; and includes a self-contained power source. Mobile devices may also include
voice communication capabilities, on-board sensors that allow the device to capture
information, or built-in features for synchronizing local data with remote locations.
Examples of mobile devices include smart phones, e-readers, and tablets.
Due to the large variety of mobile devices with different technical characteristics and
capabilities, organizational restrictions may vary for the different types of devices. Usage
restrictions and implementation guidance for mobile devices include: device identification
and authentication; configuration management; implementation of mandatory protective
software (e.g., malicious code detection, firewall); scanning devices for malicious code;
updating virus protection software; scanning for critical software updates and patches;
conducting primary operating system (and possibly other resident software) integrity
checks; and disabling unnecessary hardware (e.g., wireless, infrared). The need to provide
adequate security for mobile devices goes beyond this requirement. Many controls for
mobile devices are reflected in other CUI security requirements.
CMMC CLARIFICATION
Organizations should establish guidelines and acceptable practices for the proper
configuration and use of mobile devices. First the device must be identified. The availability
of a unique identifier is going to depend on the device vendor, and the openness of the
vendor's API, whether or not the device is under EMM/MDM control and, if so, the approach
used by the developer of the EMM/MDM. There are many different types of identifiers (e.g.,
UDID, UUID, Android ID, IMEI, MAC Address, serial number, MDM generated ID) that can be
used to identify the device, and an organization must choose an approach that applies
under their specific circumstances. Once the device is identified and authenticated, it is
checked to ensure it complies with appropriate configuration settings and software versions
for the operating system and applications. At the same time the device is checked to ensure
anti-virus software is running with current definitions. Finally, hardware configurations are
checked to ensure any disallowed features are turned off.
Example
Your organization has a policy that provides guidelines for using mobile devices such as
iPads, tablets, mobile phones, PDAs. It states that all mobile devices must be approved and
registered with the IT department before connecting to the network. The IT department
uses a Mobile Device Management solution to monitor mobile devices and enforce policies
across the enterprise.
References
• NIST SP 800-171 Rev 1 3.1.18
• CIS Controls v7.1 13.6, 16.7
• NIST CSF v1.1 PR.AC-3, PR.AC-6
• CERT RMM v1.2 TM:SG2.SP2
• NIST SP 800-53 Rev 4 AC-19
• UK NCSC Cyber Essentials