Skip to Content

Configure Systems, Components, or Devices for High-Risk Areas CM-2(7)

645  Matthew Burdick September 29, 2022  Configuration Management (CM)

Overview:
The organization:
(a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return.


Supplemental Guidance:
When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family.


Action Items:
1) Create hardened baselines for devices that may be taken to high risk areas

2) Ensure the items that have returned from high risk areas are thoroughly scanned for any issues

 

Related Documents:
1) Secure Systems Configuration Policy

2) Acceptable Use Policy

3) Vulnerability Management Policy


Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
none


Moderate Additional FedRAMP Requirements and Guidance
none
Not Rated
Secure Code