NIST 800-53 REV 5 • ACCESS CONTROL
AC-19(4) — Restrictions for Classified Information
Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information: Connection of unclassified mobile devices to classified systems is prohibited; Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official; Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by {{ insert: param, ac-19.04_odp.01 }} , and if classified information is found, the incident handling policy is followed. Restrict the connection of classified mobile devices to classified systems in accordance with {{ insert: param, ac-19.04_odp.02 }}.
Supplemental Guidance
None.
Practitioner Notes
Mobile devices used for classified information need extra restrictions — approved device types, mandatory encryption, restricted apps, and controlled storage.
Example 1: For classified environments, only allow NSA-approved mobile devices. Maintain an approved products list and prohibit all other devices. Configure devices to disable camera, microphone, and Bluetooth when in classified spaces. Enforce through MDM policies.
Example 2: Create a sign-in/sign-out log for classified mobile devices. Devices must be stored in approved secure storage (GSA-approved safes) when not in use. Conduct monthly inventory of all classified mobile devices and compare against your asset register.