Chapter 3-AC PAGE 3-72
Supplemental Guidance: A mobile device is a computing device that: (i) has a small form factor such that it
can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g.,
wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage;
and (iv) includes a self-contained power source. Mobile devices may also include voice communication
capabilities, on-board sensors that allow the device to capture information, and/or built-in features for
synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets.
Mobile devices are typically associated with a single individual and the device is usually in close proximity
to the individual; however, the degree of proximity can vary depending upon on the form factor and size of
the device. The processing, storage, and transmission capability of the mobile device may be comparable to
or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due
to the large variety of mobile devices with different technical characteristics and capabilities, organizational
restrictions may vary for the different classes/types of such devices. Usage restrictions and specific
implementation guidance for mobile devices include, for example, configuration management, device
identification and authentication, implementation of mandatory protective software (e.g., malicious code
detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for
critical software updates and patches, conducting primary operating system (and possibly other resident
software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are
cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in
this control. Many safeguards and countermeasures for mobile devices are reflected in other security
controls in the catalog allocated in the initial control baselines as starting points for the development of
security plans and overlays using the tailoring process. There may also be some degree of overlap in the
requirements articulated by the security controls within the different families of controls. AC-20 addresses
mobile devices that are not organization-controlled. Related controls: AC-3, AC-7, AC-18, AC-20, CA-9,
CM-2, IA-2, IA-3, MP-2, MP-4, MP-5, PL-4, SC-7, SC-43, SI-3, SI-4.
Mobile devices include portable computing and communications devices with information
storage capability (e.g., notebook computers, personal digital assistants, cellular telephones,
digital cameras, and audio recording devices, also referred to as PEDs. A PED is any easily
transportable, personally-owned or government/contractor-issued, electronic device that has
the capability to record, copy, store, and/or transmit data, digital images, video, and/or audio.
Examples of a PED include, but are not limited to, pagers, laptop computers, cellular
telephones, radios (amplitude modulation (AM)/frequency modulation (FM), satellite),
compact discs players, cassette players and recorders, PDA (e.g., palmtops, BlackBerrys,
iPads), digital audio devices (e.g., MP3 players, iPods), cameras, camcorders, calculators,
electronic book readers (e.g., Kindles, Nooks, Neos), digital picture frames, and electronic
watches with input capability and/or reminder recorders. See also [MP-4] and [MP-5]
Policy and procedures related to PEDs are detailed in DoDM 5205.07-V3, Enclosure 3,
Section 11, to include a list of authorized PEDs, requirement for PSO and AO (or designee)
approval, as required, prior to introduction into a SAPF, and guidance for control of PEDs.
See the Media Protection (MP) section, for policy and procedures related to removable
storage media.
Reference the MP section for media control including PED removable media.
Purchase of government PEDs shall conform to the same policies and procedures as all other
IT equipment. See the System and Services Acquisition (SA) section for additional
information on mobile devices.
PEDs for Classified Use
PEDs authorized for classified use represent a special class of government-owned mobile
devices authorized with mission justification for its use. The PSO assigns responsibilities for
the use of these PEDs with SAP information - and establishes procedures to control their use
and accountability to ensure SAP information is protected from unauthorized disclosure.