NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT
CM-2(7) — Configure Systems and Components for High-risk Areas
Issue {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} to individuals traveling to locations that the organization deems to be of significant risk; and Apply the following controls to the systems or components when the individuals return from travel: {{ insert: param, cm-02.07_odp.03 }}.
Supplemental Guidance
When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the [MP](#mp) (Media Protection) family.
Practitioner Notes
This enhancement requires you to issue specially configured systems for personnel traveling to or working in high-risk areas, then wipe or inspect those systems when they return.
Example 1: Issue loaner laptops with minimal data and hardened configurations for employees traveling to countries with elevated cyber espionage risk, and wipe the devices upon return.
Example 2: Configure travel devices with full-disk encryption, disabled USB ports, and VPN-only internet access, and re-image them from a clean baseline after each trip.