Name: Episode 16_ACCESS CONTROL FOR MOBILE DEVICES_ (AC-19)
Uploaded: 2023-05-17 23:31:11
Duration: 11 min 38 s

Question 1

What is NIST 800-53 AC-19 (Access Control for Mobile Devices)?

Accepted Answer

AC-19 is about putting security measures in place to regulate and manage access to organizational resources and data on mobile devices like smartphones and tablets. In this video, I explain that it’s focused on configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices. It also emphasizes what happens when devices are outside the organizational perimeter.

Question 2

What are examples of mobile device access controls for AC-19?

Accepted Answer

I cover common mechanisms like passwords/PINs and patterns, plus biometric authentication like fingerprint and face recognition. I also talk about device encryption to protect data at rest. And I highlight remote wipe so admins can wipe a lost or stolen device to prevent data exposure.

Question 3

Is AC-19 applicable to most systems in an SSP?

Accepted Answer

A lot of the time, AC-19 ends up being not applicable for many systems unless the system actually incorporates mobile devices as part of its functionality. That’s why I tell you to pay attention when you’re reviewing the SSP before an assessment. If mobile device connectivity isn’t part of the system boundary, AC-19 may not apply.

Question 4

How do you assess or test AC-19 during a Security Control Assessment (SCA)?

Accepted Answer

My first step is to obtain and examine the SSP and the access control policy and procedures to understand the organization’s mobile device restrictions and connection requirements. After that, I validate implementation by attempting to connect through a mobile device connection point if possible. If hands-on testing isn’t possible, configuration evidence like screenshots can also support the assessment.

Question 5

What evidence should I collect for AC-19 in continuous monitoring?

Accepted Answer

I start with the documentation: SSP implementation statements and the organization’s access control policy/procedure for mobile devices. Then I look for proof the restrictions are actually enforced—like access point configuration settings or other configuration artifacts. If you can, an actual connection attempt and observation of restrictions is strong evidence.

Question 6

What are the benefits of implementing strong mobile device access control?

Accepted Answer

I call out remote device management as a big benefit—especially remote wipe when devices are missing or stolen. Strong authentication controls let you enforce things like longer PINs or biometrics. And overall, it helps protect data and supports regulatory compliance requirements depending on what your organization must follow.

Question 7

Why do you say assessors should not reuse the same AC-19 assessment approach across organizations?

Accepted Answer

Because every organization implements controls differently, and AC-19 is subjective in how restrictions and connection requirements are defined. I always tell people: read the policy and the SSP implementation statement first, then request evidence that matches what they claim. Agency A is not Agency B, so don’t assume the same artifacts and configurations apply.

Episode 16_ACCESS CONTROL FOR MOBILE DEVICES_ (AC-19)

🛍️ Products Mentioned (4)

Official NIST publications, standards, and guidance

Official KamilSec branded designs and apparel

PayPal

*Patreon & Channel Support*******

About This Video

Frequently Asked Questions

🎬 More from KamilSec