Appendix A List of Acronyms¶
AD |
Active Directory |
API |
Application Programming Interface |
ATARC |
Advanced Technology Academic Research Center |
ATS |
App Transport Security |
BYOD |
Bring Your Own Device |
CIS |
Center for Internet Security |
CN |
Common Name |
COMSEC |
Communications Security |
COPE |
Corporate-Owned Personally-Enabled |
CRADA |
Cooperative Research and Development Agreement |
DHS |
Department of Homeland Security |
DN |
Distinguished Name |
EMM |
Enterprise Mobility Management |
FIPS |
Federal Information Processing Standards |
GDPR |
General Data Protection Regulation |
HTTP |
Hypertext Transfer Protocol |
HTTPS |
Hypertext Transfer Protocol Secure |
IBM |
International Business Machines |
ICS |
Industrial Control System |
IEC |
International Electrotechnical Commission |
iOS |
iPhone Operating System |
IP |
Internet Protocol |
ISO |
International Organization for Standardization |
ITL |
Information Technology Laboratory |
mDL |
Mobile Driver’s License |
MDM |
Mobile Device Management |
MSCT |
Mobile Services Category Team |
MTD |
Mobile Threat Defense |
NCCoE |
National Cybersecurity Center of Excellence |
NDES |
Network Device Enrollment Service |
NIAP |
National Information Assurance Partnership |
NICE |
National Initiative for Cybersecurity Education |
NIST |
National Institute of Standards and Technology |
NISTIR |
NIST Interagency Report |
OS |
Operating System |
OWASP |
Open Web Application Security Project |
PII |
Personally Identifiable Information |
PRAM |
Privacy Risk Assessment Methodology |
REST |
Representational State Transfer |
SCEP |
Simple Certificate Enrollment Protocol |
SMTP |
Simple Mail Transport Protocol |
SP |
Special Publication |
SSID |
Service Set Identifier |
Appendix B Glossary¶
Access Management |
Access Management is the set of practices that enables only those permitted the ability to perform an action on a particular resource. The three most common Access Management services you encounter every day perhaps without realizing it are: Policy Administration, Authentication, and Authorization [B32]. |
Availability |
Ensure that users can access resources through remote access whenever needed [B33]. |
Bring Your Own Device (BYOD) |
A non-organization-controlled telework client device [B33]. |
Confidentiality |
Ensure that remote access communications and stored user data cannot be read by unauthorized parties [B33]. |
Data Actions |
System operations that process personally identifiable information (PII) [B34]. |
Disassociability |
Enabling the processing of PII or events without association to individuals or devices beyond the operational requirements of the system [B34]. |
Eavesdropping |
An attack in which an attacker listens passively to the authentication protocol to capture information which can be used in a subsequent active attack to masquerade as the claimant [B35] (definition located under eavesdropping attack). |
Firewall |
Firewalls are devices or programs that control the flow of network traffic between networks or hosts that employ differing security postures [B36]. |
Integrity |
Detect any intentional or unintentional changes to remote access communications that occur in transit [B33]. |
Manageability |
Providing the capability for granular administration of PII including alteration, deletion, and selective disclosure [B34]. |
Mobile Device |
A portable computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, tablets, and E-readers [B31]. |
Personally Identifiable Information (PII) |
Any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual‘s identity, such as name, Social Security number, date and place of birth, mother‘s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information [B37] (adapted from Government Accountability Office Report 08-536). |
Predictability |
Enabling of reliable assumptions by individuals, owners, and operators about PII and its processing by a system [B34]. |
Privacy Event |
The occurrence or potential occurrence of problematic data actions [B2]. |
Problematic Data Action |
A data action that could cause an adverse effect for individuals [B2]. |
Threat |
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service [B8]. |
Vulnerability |
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source [B8]. |
Appendix C References¶
- B1(1,2)
National Institute of Standards and Technology (NIST). NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (Cybersecurity Framework). Apr. 16, 2018. [Online]. Available: https://www.nist.gov/cyberframework.
- B2(1,2,3,4)
NIST. NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0 (Privacy Framework). Jan. 16, 2020. [Online]. Available: https://www.nist.gov/privacy-framework.
- B3(1,2,3)
W. Newhouse et al., National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication (SP) 800-181 rev. 1, NIST, Gaithersburg, Md., Nov. 2020. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181r1.pdf.
- B4
NIST. Risk Management Framework (RMF) Overview. [Online]. Available: https://csrc.nist.gov/projects/risk-management/risk-management-framework-(rmf)-overview.
- B5
NIST. Mobile Threat Catalogue. [Online]. Available: https://pages.nist.gov/mobile-threat-catalogue/.
- B6
J. Franklin et al., Guidelines for Managing the Security of Mobile Devices in the Enterprise, NIST SP 800-124 Revision 2, NIST, Gaithersburg, Md., May. 2023. Available: https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/final.
- B7
J. Franklin et al., Mobile Device Security: Cloud and Hybrid Builds, NIST SP 1800-4, NIST, Gaithersburg, Md., Feb. 21, 2019. Available https://doi.org/10.6028/NIST.SP.1800-4.
- B8(1,2,3)
Joint Task Force Transformation Initiative, Guide for Conducting Risk Assessments, NIST SP 800-30 Revision 1, NIST, Gaithersburg, Md., Sept. 2012. Available: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final.
- B9
NIST. NIST Privacy Risk Assessment Methodology. Jan. 16, 2020. [Online]. Available: https://www.nist.gov/privacy-framework/nist-pram.
- B10
Joint Task Force, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, NIST SP 800-37 Revision 2, NIST, Gaithersburg, Md., Dec. 2018. Available: https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final.
- B11
Open Web Application Security Project (OWASP). “OWASP Mobile Top 10,” [Online]. Available: https://owasp.org/www-project-mobile-top-10/.
- B12
NIST. Privacy Engineering Program: Privacy Risk Assessment Methodology, Catalog of Problematic Data Actions and Problems. [Online]. Available: https://www.nist.gov/itl/applied-cybersecurity/privacy-engineering/resources.
- B13
Qualcomm. “Mobile Security Solutions.” [Online]. Available: https://www.qualcomm.com/products/features/mobile-security-solutions.
- B14
National Information Assurance Partnership (NIAP). U.S. Government Approved Protection Profile—Extended Package for Mobile Device Management Agents Version 3.0. Nov. 21, 2016. [Online]. Available: https://www.niap-ccevs.org/MMO/PP/ep_mdm_agent_v3.0.pdf.
- B15
International Business Machines (IBM). About enterprise app wrapping. Aug. 09, 2022 last updated. [Online]. Available: https://www.ibm.com/docs/en/maas360?topic=overview-about-enterprise-app-wrapping.
- B16
NIAP. U.S. Government Approved Protection Profile—Module for Virtual Private Network (VPN) Gateways 1.1. July 01, 2020. [Online]. Available: https://www.niap-ccevs.org/Profile/Info.cfm?PPID=449&id=449.
- B17
NIAP. U.S. Government Approved Protection Profile—collaborative Protection Profile for Network Devices Version 2.2e. Mar. 27, 2020. Available: https://www.niap-ccevs.org/Profile/Info.cfm?PPID=447&id=447.
- B18
NIAP. Approved Protection Profiles. [Online]. Available: https://www.niap-ccevs.org/Profile/PP.cfm.
- B19
Qualcomm. “Qualcomm Secure Boot and Image Authentication Technical Overview.” [Online]. Available: https://www.qualcomm.com/media/documents/files/secure-boot-and-image-authentication-technical-overview-v1-0.pdf.
- B20
Google Android. Android Management API. [Online]. Available: https://developers.google.com/android/management.
- B21
Apple Inc. “Preventing Insecure Network Connections.” [Online]. Available: https://developer.apple.com/documentation/security/preventing_insecure_network_connections.
- B22
Apple Inc. “Identifying the Source of Blocked Connections.” [Online]. Available: https://developer.apple.com/documentation/security/preventing_insecure_network_ connections/identifying_the_source_of_blocked_connections.
- B23
Android.com. “Network security configuration.” Dec. 27, 2019. [Online]. Available: https://developer.android.com/training/articles/security-config.
- B24
NowSecure.com. “A Security Analyst’s Guide to Network Security Configuration in Android P.” [Online]. Available: https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/.
- B25
Apple Inc. “Overview: Managing Devices & Corporate Data on iOS.” July 2018. [Online]. Available: https://www.apple.com/business/docs/resources/Managing_Devices_and_Corporate_Data_on _iOS.pdf.
- B26
Google Android. “Build Android management solutions for enterprises.” [Online]. Available: https://developers.google.com/android/work.
- B27
International Business Machines (IBM). “Web Services.” [Online]. Available: https://www.ibm.com/docs/en/maas360?topic=web-services.
- B28
IBM. “IBM Community Public Wikis.” [Online]. Available: https://www.ibm.com/developerworks/community/wikis/home?lang=en-us#!/wiki/W0dcb4f3d0760_48cd_9026_a90843b9da06/page/MaaS360%20REST%20API%20Usage.
- B29
IBM. “MaaS360 Data Privacy Information.” [Online]. Available: https://www.ibm.com/support/pages/maas360-data-privacy-information
- B30
NIST. Minimum Security Requirements for Federal Information and Information Systems, Federal Information Processing Standards Publication (FIPS) 200, Mar. 2006. Available: https://csrc.nist.gov/publications/detail/fips/200/final.
- B31(1,2)
Joint Task Force Transformation Initiative, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, NIST, Gaithersburg, Md., Jan. 2015. Available: https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final.
- B32
IDManagement.gov. “Federal Identity, Credential, and Access Management Architecture.” [Online]. Available: https://arch.idmanagement.gov/services/access/.
- B33(1,2,3,4,5)
M. Souppaya and K. Scarfone, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, NIST SP 800-46 Revision 2, NIST, Gaithersburg, Md., July 2016. Available: https://csrc.nist.gov/publications/detail/sp/800-46/rev-2/final.
- B34(1,2,3,4)
S. Brooks et al., An Introduction to Privacy Engineering and Risk Management in Federal Systems, NIST Interagency or Internal Report 8062, Gaithersburg, Md., Jan. 2017. Available: https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf.
- B35(1,2)
P. Grassi et al., Digital Identity Guidelines, NIST SP 800-63-3, NIST, Gaithersburg, Md., June 2017. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf.
- B36
K. Stouffer et al., Guide to Industrial Control Systems (ICS) Security, NIST SP 800-82 Revision 2, NIST, Gaithersburg, Md., May 2015. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf.
- B37
E. McCallister et al., Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122, NIST, Gaithersburg, Md., Apr. 2010. Available: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf.
- B38
J. Franklin et al., Mobile Device Security: Corporate-Owned Personally-Enabled (COPE), NIST SP 1800-21, NIST, Gaithersburg, Md., July 22, 2019. Available: https://csrc.nist.gov/News/2019/NIST-Releases-Draft-SP-1800-21-for-Comment.
- B39
NIST, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, NIST SP 800-52 Revision 2, August 2019. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final.
- B40(1,2,3)
Joint Task Force, Security and Privacy Controls for Information Systems and Organizations (Final Public Draft), NIST SP 800-53 Revision 5, NIST, Gaithersburg, Md., Sept. 2020. Available: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final.
- B41
S. Frankel et al., Guide to SSL VPNs, NIST SP 800-113, NIST, Gaithersburg, Md., July 2008. Available: https://csrc.nist.gov/publications/detail/sp/800-113/final.
- B42
M. Souppaya and K. Scarfone, Userʼs Guide to Telework and Bring Your Own Device (BYOD) Security,, NIST SP 800-114 Revision 1, NIST, Gaithersburg, Md., July 2016. Available: https://csrc.nist.gov/publications/detail/sp/800-114/rev-1/final.
- B43
M. Ogata et al., Vetting the Security of Mobile Applications, NIST SP 800-163 Revision 1, NIST, Gaithersburg, Md., Apr. 2019. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-163r1.pdf.
- B44
NIST, Protecting Controlled Unclassified Information in Nonfederal SystemsI, NIST SP 800-171 Revision 2, February 2020. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final.
- B45(1,2)
Center for Internet Security. Center for Internet Security home page. [Online]. Available: https://www.cisecurity.org/.
- B46
Executive Office of the President, “Bring Your Own Device: A Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs,” Aug. 23, 2012. Available: https://obamawhitehouse.archives.gov/digitalgov/bring-your-own-device.
- B47
Federal CIO Council and Department of Homeland Security. Mobile Security Reference Architecture Version 1.0. May 23, 2013. [Online]. Available: https://s3.amazonaws.com/sitesusa/wp-content/uploads/sites/1151/2016/10/Mobile-Security-Reference-Architecture.pdf.
- B48
Digital Services Advisory Group and Federal Chief Information Officers Council. Government Use of Mobile Technology Barriers, Opportunities, and Gap Analysis. Dec. 2012. [Online]. Available: https://s3.amazonaws.com/sitesusa/wp-content/uploads/sites/1151/2016/10/Government_Mobile_Technology_Barriers_Opportunities_and _Gaps.pdf.
- B49(1,2)
International Organization for Standardization. “ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements.” Oct. 2013. [Online]. Available: https://www.iso.org/standard/54534.html.
- B50
“Mobile Computing Decision.” [Online]. Available: https://s3.amazonaws.com/sitesusa/wp-content/uploads/sites/1151/2016/10/Mobile-Security-Decision-Framework-Appendix-B.pdf.
- B51
Mobile Services Category Team (MSCT) Advanced Technology Academic Research Center (ATARC). “Navigating the Future of Mobile Services.” Oct. 2017. [Online]. Available: https://atarc.org/wp-content/uploads/2019/01/ATARC-MSCT-Report-Navigating-Future-of-Mobile-Services-2.pdf.
- B52
Mobile Services Category Team (MSCT). “Device Procurement and Management Guidance.” Nov. 2016. [Online]. Available: https://hallways.cap.gsa.gov/app/#/gateway/information-technology/4485/mobile-device-procurement-and-management-guidance.
- B53
Mobile Services Category Team (MSCT). “Mobile Device Management (MDM), MDM Working Group Document.” Aug. 2017. [Online]. Available: https://s3.amazonaws.com/sitesusa/wp-content/uploads/sites/1197/2017/10/EMM_Deliverable.pdf.
- B54
Mobile Services Category Team (MSCT). “Mobile Services Roadmap (MSCT Strategic Approach).” Sept. 23, 2016. [Online]. Available: https://atarc.org/project/mobile-services-roadmap-msct-strategic-approach/.
- B55
NIAP. U.S. Government Approved Protection Profile—Extended Package for Mobile Device Management Agents Version 2.0. Dec. 31, 2014. [Online]. Available: https://www.niap-ccevs.org/MMO/PP/pp_mdm_agent_v2.0.pdf.
- B56
NIAP. Approved Protection Profiles—Protection Profile for Mobile Device Fundamentals Version 3.1,. June 16, 2017. [Online]. Available: https://www.niap-ccevs.org/Profile/Info.cfm?PPID=417&id=417.
- B57
NIAP. Approved Protection Profiles—Protection Profile for Mobile Device Management Version 4.0. Apr. 25, 2019. [Online]. Available: https://www.niap-ccevs.org/Profile/Info.cfm?PPID=428&id=428.
- B58
NIAP. Product Compliant List. [Online]. Available: https://www.niap-ccevs.org/Product/.
- B59
Office of Management and Budget, Category Management Policy 16-3: Improving the Acquisition and Management of Common Information Technology: Mobile Devices and Services, Aug. 4, 2016. Available: https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2016/m_16_20.pdf.
- B60
NIST. United States Government Configuration Baseline (in development). [Online]. Available: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.
- B61
Department of Homeland Security (DHS). “DHS S&T Study on Mobile Device Security.” Apr. 2017. [Online]. Available: https://www.dhs.gov/publication/csd-mobile-device-security-study.
- B62
NIST, NIST Interagency Report (NISTIR) 8170, Approaches for Federal Agencies to Use the Cybersecurity Framework, Mar. 2020. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8170-upd.pdf.
- B63
NIST Privacy Framework and Cybersecurity Framework to NIST Special Publication 800-53, Revision 5 Crosswalk. [Online]. Available: https://www.nist.gov/privacy-framework/nist-privacy-framework-and-cybersecurity-framework-nist-special-publication-800-53.
Appendix D Standards and Guidance¶
The following are references that informed the writing of this publication.
National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) Version 1.1 [B1]
NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0 (Privacy Framework) [B2]
NIST Mobile Threat Catalogue [B5]
NIST Risk Management Framework [B4]
NIST Special Publication (SP) 1800-4, Mobile Device Security: Cloud and Hybrid Builds [B7]
NIST SP 1800-21, Mobile Device Security: Corporate-Owned Personally-Enabled (COPE) [B38]
NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments [B8]
NIST SP 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy [B10]
NIST SP 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security [B33]
NIST SP 800-52 Revision 2, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations [B39]
NIST SP 800-53 Revision 4 (Final), Security and Privacy Controls for Information Systems and Organizations [B31]
NIST SP 800-53 Revision 5 (Final), Security and Privacy Controls for Information Systems and Organizations [B40]
NIST SP 800-63-3, Digital Identity Guidelines [B35]
NIST SP 800-113, Guide to SSL VPNs [B41]
NIST SP 800-114 Revision 1, Userʼs Guide to Telework and Bring Your Own Device (BYOD) Security [B42]
NIST SP 800-124 Revision 2, Guidelines for Managing the Security of Mobile Devices in the Enterprise [B6]
NIST SP 800-163 Revision 1, Vetting the Security of Mobile Applications [B43]
NIST SP 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations [B44]
NIST SP 800-181, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (2017) [B3]
NIST Federal Information Processing Standards Publication (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems [B30]
NIST Privacy Risk Assessment Methodology [B9]
Center for Internet Security [B45]
Executive Office of the President, Bring Your Own Device toolkit [B46]
Federal Chief Information Officers Council and Department of Homeland Security Mobile Security Reference Architecture, Version 1.0 [B47]
Digital Services Advisory Group and Federal Chief Information Officers Council, Government Use of Mobile Technology Barriers, Opportunities, and Gap Analysis [B48]
International Organization for Standardization (ISO), International Electrotechnical Commission (IEC) 27001:2013, “Information technology – Security techniques – Information security management systems – Requirements” [B49]
Mobile Computing Decision example case study [B50]
MSCT ATARC, “Navigating the Future of Mobile Services,” Working Group Document [B51]
MSCT, “Device Procurement and Management Guidance” [B52]
MSCT, “Mobile Device Management (MDM),” MDM Working Group Document [B53]
MSCT, “Mobile Services Roadmap, MSCT Strategic Approach” [B54]
National Information Assurance Partnership (NIAP), U.S. Government Approved Protection Profile—Extended Package for Mobile Device Management Agents Version 2.0 [B55]
NIAP, Approved Protection Profiles—Protection Profile for Mobile Device Fundamentals Version 3.1 [B56]
NIAP, Approved Protection Profiles—Protection Profile for Mobile Device Management Version 4.0 [B57]
NIAP, Product Compliant List [B58]
Office of Management and Budget, Category Management Policy 16-3: Improving the Acquisition and Management of Common Information Technology: Mobile Devices and Services [B59]
United States Government Configuration Baseline [B60]
Department of Homeland Security (DHS), “DHS S&T Study on Mobile Device Security” [B61]
NIST Interagency Report (NISTIR) 8170, Approaches for Federal Agencies to Use the Cybersecurity Framework [B62]
Appendix E Example Security Subcategory and Control Map¶
Using the developed risk information as input, the security characteristics of the example solution were identified. A security control map was developed documenting the example solution’s capabilities with applicable Subcategories from the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (Cybersecurity Framework) [B1]; NIST Special Publication (SP) 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations [B40]; International Organization for Standardization (ISO); International Electrotechnical Commission (IEC) 27001:2013 Information technology – Security techniques – Information security management systems – Requirements [B49]; the Center for Internet Security’s (CIS) control set Version 6 [B45]; and NIST SP 800-181, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (Work Roles from 2017 version) [B3].
Table E-1 below identifies the security characteristic standards mapping for the products as they were used in the example solution. The products may have additional capabilities that we did not use in this example solution. For that reason, it is recommended that the mapping not be used as a reference for all of the security capabilities these products may be able to address.
Table E‑1 Example Solution’s Cybersecurity Standards and Best Practices Mapping
Specific product used |
Function |
Applicable NIST Cybersecurity Framework Subcategories |
Applicable NIST SP 800-53 Revision 5 Controls |
ISO/IEC 27001:2013 |
CIS 6 |
Applicable NIST SP 800-181 NICE Framework Work Roles (2017) |
---|---|---|---|---|---|---|
Kryptowire Cloud Service |
Application Vetting |
ID.RA-1: Asset vulnerabilities are identified and documented. |
CA-2, CA-7, CA-8: Security Assessment and Authorization RA-3, RA-5: Risk Assessment SA-4: Acquisition Process SI-7: Software, Firmware, and Information Integrity |
A.12.6.1: Control of technical vulnerabilities A.18.2.3: Technical Compliance Review |
CSC 4: Continuous Vulnerability Assessment and Remediation |
SP-RSK-002: Security Control Assessor SP-ARC-002: Security Architect OM-ANA-001: Systems Security Analyst |
ID.RA-3: Threats, both internal and external, are identified and documented. |
RA-3: Risk Assessment SI-7: Software, Firmware, and Information Integrity PM-12, PM-16: Insider Threat Program |
6.1.2: Information risk assessment process |
CSC 4: Continuous Vulnerability Assessment and Remediation |
SP-RSK-002: Security Control Assessor OM-ANA-001: Systems Security Analyst OV-SPP-001: Cyber Workforce Developer and Manager OV-TEA-001: Cyber Instructional Curriculum Developer PR-VAM-001: Vulnerability Assessment Analyst PR-VAM-001: Vulnerability Assessment Analyst |
||
DE.CM-4: Malicious code is detected. |
SI-7: Software, Firmware, and Information Integrity |
A.12.2.1: Controls Against Malware |
CSC 4: Continuous Vulnerability Assessment and Remediation CSC 7: Email and Web Browser Protections CSC 8: Malware Defenses CSC 12: Boundary Defense |
PR-CIR-001: Cyber Defense Incident Responder PR-CDA-001: Cyber Defense Analyst |
||
DE.CM-5: Unauthorized mobile code is detected. |
SC-18: Mobile Code SI-7: Software, Firmware, and Information Integrity |
A.12.5.1: Installation of Software on Operational Systems A.12.6.2: Restrictions on Software Installation |
CSC 7: Email and Web Browser Protections CSC 8: Malware Defenses |
PR-CDA-001: Cyber Defense Analyst SP-DEV-002: Secure Software Assessor |
||
Zimperium Console version vGA-4.23.1 |
Cloud service that complements the zIPS Agent |
ID.AM-1: Physical devices and systems within the organization are inventoried. |
CM-8: Information System Component Inventory PM-5: Information System Inventory |
A.8.1.1: Inventory of Assets A.8.1.2: Ownership of Assets |
CSC 1: Inventory of Authorized and Unauthorized Devices |
OM-STS-001: Technical Support Specialist OM-NET-001: Network Operations Specialist OM-ADM-001: System Administrator |
zIPS agent Version 4.9.2 (iOS), 4.9.2 (Android) |
Endpoint security for mobile device threats |
ID.AM-2: Software platforms and applications within the organization are inventoried. |
CM-8: Information System Component Inventory PM-5: Information System Inventory |
A.8.1.1: Inventory of Assets A.8.1.2: Ownership of Assets A.12.5.1: Installation of Software on Operational Systems |
CSC 2: Inventory of Authorized and Unauthorized Software |
SP-DEV-002: Secure Software Assessor SP-DEV-001: Software Developer SP-TRD-001: Research and Development Specialist |
DE.CM-8: Vulnerability scans are performed. |
RA-5: Vulnerability Monitoring and Scanning |
A.12.6.1: Management of technical vulnerabilities |
CSC 4: Continuous Vulnerability Assessment and Remediation CSC 20: Penetration Tests and Red Team Exercises |
PR-VAM-001: Vulnerability Assessment Analyst PR-INF-001: Cyber Defense Infrastructure Support Specialist PR-CDA-001: Cyber Defense Analyst |
||
DE.AE-5: Incident alert thresholds are established. |
IR-4: Incident Handling IR-5: Incident Monitoring IR-8: Incident Response Plan |
A.16.1.4: Assessment of and decision on information security events |
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 19: Incident Response and Management |
PR-CIR-001: Cyber Defense Incident Responder AN-TWA-001: Threat/Warning Analyst |
||
DE.CM-5: Unauthorized mobile code is detected. |
SC-18: Mobile Code SI-7: Software, Firmware, and Information Integrity |
A.12.5.1: Installation of Software on Operational Systems A.12.6.2: Restrictions on Software Installation |
CSC 7: Email and Web Browser Protections CSC 8: Malware Defenses |
PR-CDA-001: Cyber Defense Analyst SP-DEV-002: Secure Software Assessor |
||
IBM MaaS360 Mobile Device Management (SaaS) Version 10.73 |
Enforces organizational mobile endpoint security policy |
ID.AM-1: Physical devices and systems within the organization are inventoried. |
CM-8: System Component Inventory PM-5: System Inventory |
A.8.1.1: Inventory of Assets A.8.1.2: Ownership of Assets |
CSC 1: Inventory of Authorized and Unauthorized Devices |
OM-STS-001: Technical Support Specialist OM-NET-001: Network Operations Specialist OM-ADM-001: System Administrator |
ID.AM-2: Software platforms and applications within the organization are inventoried. |
CM-8: System Component Inventory PM-5: System Inventory |
A.8.1.1: Inventory of Assets A.8.1.2: Ownership of Assets A.12.5.1: Installation of Software on Operational Systems |
CSC 2: Inventory of Authorized and Unauthorized Software |
SP-DEV-002: Secure Software Assessor SP-DEV-001: Software Developer SP-TRD-001: Research and Development Specialist |
||
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes. |
AC-3: Access Enforcement IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-10, IA-11: Identification and Authentication Family |
A.9.2.1: User Registration and De-Registration A.9.2.2: User Access Provisioning A.9.2.3: Management of Privileged Access Rights A.9.2.4: Management of Secret Authentication Information of Users A.9.2.6: Removal or Adjustment of Access Rights A.9.3.1: Use of Secret Authentication Information A.9.4.2: Secure logon Procedures A.9.4.3: Password Management System |
CSC 1: Inventory of Authorized and Unauthorized Devices CSC 5: Controlled Use of Administrative Privileges CSC 15: Wireless Access Control CSC 16: Account Monitoring and Control |
OV-SPP-002: Cyber Policy and Strategy Planner OM-ADM-001: System Administrator OV-MGT-002: Communications Security (COMSEC) Manager |
||
PR.AC-3: Remote access is managed. |
AC-1: Access Control Policy and Procedures AC-17: Remote Access AC-19: Access Control for Mobile Devices AC-20: Use of External Systems SC-15: Collaborative Computing Devices and Applications |
A.6.2.1: Mobile Device Policy A.6.2.2: Teleworking A.11.2.6: Security of equipment and assets off premises A.13.1.1: Network Controls A.13.2.1: Information Transfer Policies and Procedures |
CSC 12: Boundary Defense |
OV-SPP-002: Cyber Policy and Strategy Planner OV-MGT-002: Communications Security (COMSEC) Manager |
||
PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions. |
AC-1, AC-3: Access Control Policy and Procedures IA-2, IA-4, IA-5: Identification and Authentication PE-2: Physical Access Authorizations |
A.7.1.1: Screening A.9.2.1: User Registration and De-Registration |
CSC 16: Account Monitoring and Control |
OV-SPP-002: Cyber Policy and Strategy Planner OV-MGT-002: Communications Security (COMSEC) Manager |
||
PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained, incorporating security principles (e.g., concept of least functionality). |
CM-8: System Component Inventory SA-10: Developer Configuration Management |
A.12.1.2: Change Management A.12.5.1:
Installation of
Software on
Operational
Systems
A.12.6.2: Restrictions on Software Installation A.14.2.2: System Change Control Procedures A.14.2.3: Technical Review of Applications After Operating Platform Changes A.14.2.4: Restrictions on Changes to Software Packages |
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 9: Limitation and Control of Network Ports, Protocols, and Services CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches |
SP-ARC-002: Security Architect OV-SPP-002: Cyber Policy and Strategy Planner SP-SYS-001: Information Systems Security Developer OM-ADM-001: System Administrator PR-VAM-001: Vulnerability Assessment Analyst |
||
IBM MaaS360 Mobile Device Management Agent Version 3.91.5 (iOS), 6.60 (Android) |
Endpoint software that compliments IBM MaaS360 Mobile Device Management console– provides root/jailbreak detection and other functions |
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity. |
SC-16: Transmission of Security and Privacy Attributes SI-7: Software, Firmware, and Information Integrity |
A.12.2.1: Controls Against Malware A.12.5.1: Installation of Software on Operational Systems A.14.1.2: Securing Application Services on Public Networks A.14.1.3: Protecting Application Services Transactions A.14.2.4: Restrictions on Changes to Software Packages |
CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers |
OV-SPP-002: Cyber Policy and Strategy Planner SP-ARC-001: Enterprise Architect |
Qualcomm (version is mobile device dependent) |
Secure boot and image integrity |
PR.DS-1: Data-at-rest is protected. |
SC-28: Protection of Information at Rest |
A.8.2.3: Handling of Assets |
CSC 13: Data Protection CSC 14: Controlled Access Based on the Need to Know |
OV-SPP-002: Cyber Policy and Strategy Planner PR-INF-001: Cyber Defense Infrastructure Support Specialist OV-LGA-002: Privacy Officer/Privacy Compliance Manager OV-MGT-002: Communications Security (COMSEC) Manager |
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity. |
SA-10(1): Developer Configuration Management SI-7: Software, Firmware, and Information Integrity |
A.12.2.1: Controls Against Malware A.12.5.1: Installation of Software on Operational Systems A.14.1.2: Securing Application Services on Public Networks A.14.1.3: Protecting Application Services Transactions A.14.2.4: Restrictions on Changes to Software Packages |
CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software on Mobile |
OV-SPP-002: Cyber Policy and Strategy Planner PR-CDA-001: Cyber Defense Analyst SP-ARC-001: Enterprise Architect |
||
PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity. |
SA-10: Developer Configuration Management SI-7: Software, Firmware, and Information Integrity |
A.11.2.4: Equipment maintenance |
Not applicable |
OM-ADM-001: System Administrator SP-AR C-001:Enterprise Architect |
||
DE.CM-4: Malicious code is detected. |
SC-35: External Malicious Code Identification SI-7: Software, Firmware, and Information Integrity |
A.12.2.1: Controls Against Malware |
CSC 4: Continuous Vulnerability Assessment and Remediation CSC 7: Email and Web Browser Protections CSC 8: Malware Defenses CSC 12: Boundary Defense |
PR-CDA-001: Cyber Defense Analyst PR-INF-001: Cyber Defense Infrastructure Support Specialist |
||
Palo Alto Networks PA-220 |
Enforces network security policy for remote devices |
PR.AC-3: Remote access is managed. |
AC-1, AC-3: Access Control Policy and Procedures AC-19: Access Control for Mobile Devices |
A.6.2.1: Mobile Device Policy A.6.2.2: Teleworking A.11.2.6: Security of equipment and assets off-premises A.13.1.1: Network Controls A.13.2.1: Information Transfer Policies and Procedures |
CSC 12: Boundary Defense |
OV-SPP-002: Cyber Policy and Strategy Planner OV-MGT-002: Communications Security (COMSEC) Manager |
PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation). |
AC-3: Access Enforcement SC-7: Boundary Protection |
A.13.1.1: Network Controls A.13.1.3: Segregation in Networks A.13.2.1: Information Transfer Policies and Procedures A.14.1.2: Securing Application Services on Public Networks A.14.1.3: Protecting Application Services Transactions |
CSC 9: Limitation and Control of Network Ports, Protocols, and Services CSC 14: Controlled Access Based on the Need to Know CSC 15: Wireless Access Control CSC 18: Application Software Security |
PR-CDA-001: Cyber Defense Analyst OM-ADM-001: System Administrator |
||
PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions. |
AC-3: Access Enforcement IA-2, IA-4, IA-5, IA-8: Identification and Authentication (Organizational Users) PE-2: Physical Access Authorizations PS-3: Personnel Screening |
A.7.1.1: Screening A.9.2.1: User Registration and De-Registration |
CSC 16: Account Monitoring and Control |
OV-SPP-002: Cyber Policy and Strategy Planner OV-MGT-002: Communications Security (COMSEC) Manager |
||
PR.DS-2: Data-in-transit is protected. |
AC-17(2): Protection of Confidentiality and Integrity Using Encryption SC-8: Transmission Confidentiality and Integrity |
A.8.2.3: Handling of Assets A.13.1.1: Network Controls A.13.2.1: Information Transfer Policies and Procedures A.13.2.3: Electronic Messaging A.14.1.2: Securing Application Services on Public Networks A.14.1.3: Protecting Application Services Transactions |
CSC 13: Data Protection CSC 14: Controlled Access Based on the Need to Know |
OV-SPP-002: Cyber Policy and Strategy Planner OV-MGT-002: Communications Security (COMSEC) Manager OV-LGA-002: Privacy Officer/Privacy Compliance Manager |
||
PR.PT-4: Communications and control networks are protected. |
AC-3, AC-4, AC-17, AC-18: Access Control Family CP-2: Contingency Plan SC-7, SC-20, SC-21, SC-22, SC-23, SC-24, SC-25, SC-29, SC-32, SC-38, SC-39, SC-40, SC-41, SC-43: System and Communications Protection Family |
A.13.1.1: Network Controls A.13.2.1: Information Transfer Policies and Procedures A.14.1.3: Protecting Application Services Transactions |
CSC 8: Malware Defenses CSC 12: Boundary Defense CSC 15: Wireless Access Control |
PR-INF-001: Cyber Defense Infrastructure Support Specialist OV-SPP-002: Cyber Policy and Strategy Planner PR-CDA-001: Cyber Defense Analyst |
Appendix F Example Privacy Subcategory and Control Map¶
Using the developed privacy information as input, we identified the privacy characteristics of the example solution. We developed a privacy control map documenting the example solution’s capabilities with applicable Functions, Categories, and Subcategories from the National Institute of Standards and Technology (NIST) Privacy Framework [B2]; and NIST SP 800-53 Revision 5 [B40]; and NIST SP 800-181, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (Work Roles from 2017 version) [B3].
The table that follows maps component functions in the build to the related Subcategories in the NIST Privacy Framework as well as to controls in the NIST SP 800-53, Revision 5 controls catalog. Each column maps independently to the build component’s functions and, given the specific capabilities of this mobile device security solution, may differ from other NIST-provided mappings for the Privacy Framework and SP 800-53 revision. For example, build functions may provide additional capabilities beyond what is contemplated by a Privacy Framework Subcategory or that are implemented by additional controls beyond those that NIST identified as an informative reference for the Subcategory.
The table also identifies the privacy characteristic mapping for the products as they were used in the example solution. The products may have additional capabilities that we did not use in this example solution. For that reason, it is recommended that the mapping not be used as a reference for all the privacy capabilities these products may be able to address. The comprehensive mapping of the NIST Privacy Framework to NIST SP 800-53, Revision 5 controls can be found on the NIST Privacy Framework Resource Repository website, in the event an organization’s mobile device security solution is different to determine other controls that are appropriate for their environment [B63].
Table F‑1 Example Solution’s Privacy Standards and Best Practices Mapping
Product |
Function |
Applicable Privacy Framework Subcategories |
Applicable NIST SP 800-53 Revision 5 Privacy-Related Controls |
Applicable NIST SP 800-181, NICE Framework Work Roles (2017) |
---|---|---|---|---|
IBM MaaS360 |
MaaS360 can be used to capture an inventory of the types and number of devices deployed and shows the administrators what data is collected from each enrolled device. |
ID.IM-P7: The data processing environment is identified (e.g., geographic location, internal, cloud, third parties). |
CM-12: Information Location CM-13: Data Action Mapping PM-5(1): System Inventory | Inventory of Personally Identifiable Information PT-3: Personally Identifiable Information Processing Purposes RA-3: Risk Assessment RA-8: Privacy Impact Assessment |
OV-LGA-002: Privacy Officer/Privacy Compliance Manager OV-TEA-001: Cyber Instructional Curriculum Developer |
Administrators can view data elements in the administration portal. Users can see collected data within the MaaS360 application on their device. Users are advised about data collection practices in a window during enrollment. Data can be edited and deleted from within the administration console. |
CT.DM-P1: Data elements can be accessed for review. |
AC-2: Account Management AC-3: Access Enforcement AC-3(14): Access Enforcement | Individual Access PM-21: Accounting of Disclosures |
OM-DTA-002: Data Analyst |
|
CT.DM-P3: Data elements can be accessed for alteration. |
AC-2: Account Management AC-3: Access Enforcement AC-3(14): Access Enforcement | Individual Access PM-21: Accounting of Disclosures SI-18: Personally Identifiable Information Quality Operations |
OM-DTA-002: Data Analyst |
||
CT.DM-P4: Data elements can be accessed for deletion. |
AC-2: Account Management AC-3: Access Enforcement SI-18: Personally Identifiable Information Quality Operations |
OM-DTA-002: Data Analyst |
||
CT.DM-P5: Data are destroyed according to policy. |
MP-6: Media Sanitization SA-8(33): Security and Privacy Engineering Principles | Minimization SI-18: Personally Identifiable Information Quality Operations SR-12: Component Disposal |
OM-DTA-002: Data Analyst |
||
CT.DP-P4: System or device configurations permit selective collection or disclosure of data elements. |
CM-6: Configuration Settings SA-8(33): Minimization SC-42(5): Collection Minimization SI-12(1): Information Management and Retention | Limit Personally Identifiable Information Elements |
OV-LGA-002: Privacy Officer/Privacy Compliance Manager |
||
Devices may be backed up to the cloud. |
PR.PO-P3: Backups of information are conducted, maintained, and tested. |
CP-4: Contingency Plan Testing CP-6: Alternate Storage Site CP-9: System Backup |
OM-ADM-001: System Administrator |
|
Devices are issued identity certificates via on-premises certificate infrastructure. |
PR.AC-P1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized individuals, processes, and devices. |
IA-2: Identification and Authentication (Organizational Users) IA-3: Device Identification and Authentication IA-4: Identifier Management IA-4(4): Identifier Management | Identifier User Status |
SP-ARC-002: Security Architect PR-CDA-001: Cyber Defense Analyst |
|
MaaS360 enforces a device personal identification number for access. |
PR.AC-P2: Physical access to data and devices is managed. |
PE-2: Physical Access Authorizations PE-3: Physical Access Control PE-3(1): System Access PE-4: Access Control for Transmission PE-5: Access Control for Output Devices PE-6: Monitoring Physical Access PE-18: Location of System Components PE-20: Asset Monitoring and Tracking |
OM-DTA-001: Database Administrator OM-DTA-002: Data Analyst |
|
PR.DS-P1: Data-at-rest is protected. |
MP-2: Media Access MP-4: Media Storage PM-5(1): System Inventory | Inventory of Personally Identifiable Information SC-28: Protection of Information at Rest |
OM-DTA-001: Database Administrator OM-DTA-002: Data Analyst |
||
Data flowing between the device and MaaS360 is encrypted with Transport Layer Security. |
PR.DS-P2: Data-in-transit is protected. |
PM-5(1): System Inventory | Inventory of Personally Identifiable Information SC-8: Transmission Confidentiality and Integrity |
PR-CIR-001: Cyber Defense Incident Responder |
|
Restrictions are used that prevent data flow between enterprise and personal applications. |
PR.DS-P5: Protections against data leaks are implemented. |
PM-5(1): System Inventory | Inventory of Personally Identifiable Information AC-4: Information Flow Enforcement |
PR-CIR-001: Cyber Defense Incident Responder |
|
Devices that are jailbroken or otherwise modified beyond original equipment manufacturer status can be detected. |
PR.DS-P6: Integrity checking mechanisms are used to verify software, firmware, and information integrity. |
PM-22: Personally Identifiable Information Quality Management SI-7: Software, Firmware, and Information Integrity SI-18: Personally Identifiable Information Quality Operations |
OM-DTA-002: Data Analyst OM-ANA-001: Systems Security Analyst |
|
Zimperium |
Zimperium checks the device for unauthorized modifications. |
PR.DS-P1: Data-at-rest is protected. |
PM-5(1): System Inventory | Inventory of Personally Identifiable Information SC-28: Protection of Information at Rest |
SP-ARC-002: Security Architect PR-CDA-001: Cyber Defense Analyst |
PR.DS-P2: Data-in-transit is protected. |
PM-5(1): System Inventory | Inventory of Personally Identifiable Information SC-8: Transmission Confidentiality and Integrity SC-11: Trusted Path |
OM-DTA-002: Data Analyst OM-ANA-001: Systems Security Analyst |
||
PR.DS-P6: Integrity checking mechanisms are used to verify software, firmware, and information integrity. |
PM-22: Personally Identifiable Information Quality Management SC-16: Transmission of Security Attributes SI-7: Boundary Protection SI-10: Network Disconnect SI-18: Personally Identifiable Information Quality Operations |
OM-DTA-002: Data Analyst OM-ANA-001: Systems Security Analyst |
||
Kryptowire (now known as Quokka) |
Kryptowire can identify applications that do not use best practices, such as lack of encryption or hardcoded credentials. |
CM.AW-P1: Mechanisms (e.g., notices, internal or public reports) for communicating data processing purposes, practices, associated privacy risks, and options for enabling individuals’ data processing preferences and requests are established and in place. |
AC-8: System Use Notification |
SP-ARC-002: Security Architect PR-CDA-001: Cyber Defense Analyst |
CM.AW-P3: System/ product/ service design enables data processing visibility. |
PL-8: Security and Privacy Architecture PM-5(1): System Inventory | Inventory of Personally Identifiable Information |
SP-ARC-002: Security Architect PR-CDA-001: Cyber Defense Analyst |
||
CM.AW-P6: Data provenance and lineage are maintained and can be accessed for review or transmission/ disclosure. |
AC-16: Security and Privacy Attributes SC-16: Transmission of Security Attributes |
SP-ARC-002: Security Architect PR-CDA-001: Cyber Defense Analyst |
||
PR.DS-P1: Data-at-rest is protected. |
PM-5(1): System Inventory | Inventory of Personally Identifiable Information SC-28: Protection of Information at Rest |
SP-ARC-002: Security Architect PR-CDA-001: Cyber Defense Analyst |
||
PR.DS-P2: Data-in-transit is protected. |
PM-5(1): System Inventory | Inventory of Personally Identifiable Information SC-8: Transmission Confidentiality and Integrity SC-11: Trusted Path |
SP-ARC-002: Security Architect PR-CDA-001: Cyber Defense Analyst |
||
Palo Alto Networks PA-220 |
Provides firewall and virtual private network capabilities. |
PR.DS-P2: Data-in-transit is protected. |
PM-5(1): System Inventory | Inventory of Personally Identifiable Information SC-8: Transmission Confidentiality and Integrity SC-11: Trusted Path |
SP-ARC-002: Security Architect PR-CDA-001: Cyber Defense Analyst |
PR.AC-P4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties. |
AC-2: Account Management AC-3: Access Enforcement AC-5: Separation of Duties AC-6: Least Privilege AC-24: Access Control Decisions |
SP-ARC-002: Security Architect PR-CDA-001: Cyber Defense Analyst |
||
PR.AC-P5: Network integrity is protected (e.g., network segregation, network segmentation). |
AC-4: Information Flow Enforcement AC-10: Access Control SC-7: Boundary Protection SC-10: Network Disconnect |
OM-DTA-002: Data Analyst OM-ANA-001: Systems Security Analyst |
||
PR.PT-P3: Communications and control networks are protected. |
AC-12: Session Termination AC-17: Remote Access AC-18: Wireless Access SC-5: Denial of Service Protection SC-7: Boundary Protection SC-10: Network Disconnect SC-11: Trusted Path SC-21: Secure Name/Address Resolution Service (Recursive or Caching Resolver) SC-23: Session Authenticity |
OV-LGA-002: Privacy Officer/Privacy Compliance Manager PR-CDA-001: Cyber Defense Analyst |
||
Qualcomm |
The trusted execution environment provides data confidentiality and integrity. |
PR.DS-P6: Integrity checking mechanisms are used to verify software, firmware, and information integrity. |
PM-22: Personally Identifiable Information Quality Management SC-16: Transmission of Security and Privacy Attributes SI-7: Software, Firmware, and Information Integrity SI-10: Information Input Validation SI-18: Personally Identifiable Information Quality Operations |
PR-INF-001: Cyber Defense Infrastructure Support Specialist OM-ANA-001: Systems Security Analyst |