UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SC-42 SENSOR CAPABILITY AND DATA


Overview

Number Title Impact Priority Subject Area
SC-42 Sensor Capability And Data P0 System And Communications Protection

Instructions
The information system:
SC-42a.
Prohibits the remote activation of environmental sensing capabilities with the following exceptions: Assignment: organization-defined exceptions where remote activation of sensors is allowed; and
SC-42b.
Provides an explicit indication of sensor use to Assignment: organization-defined class of users.
Guidance
This control often applies to types of information systems or system components characterized as mobile devices, for example, smart phones, tablets, and E-readers. These systems often include sensors that can collect and record data regarding the environment where the system is in use. Sensors that are embedded within mobile devices include, for example, cameras, microphones, Global Positioning System (GPS) mechanisms, and accelerometers. While the sensors on mobiles devices provide an important function, if activated covertly, such devices can potentially provide a means for adversaries to learn valuable information about individuals and organizations. For example, remotely activating the GPS function on a mobile device could provide an adversary with the ability to track the specific movements of an individual.

Enhancements
SC-42 (1) Reporting To Authorized Individuals Or Roles
In situations where sensors are activated by authorized individuals (e.g., end users), it is still possible that the data/information collected by the sensors will be sent to unauthorized entities.

The organization ensures that the information system is configured so that data or information collected by the Assignment: organization-defined sensors is only reported to authorized individuals or roles.

SC-42 (2) Authorized Use
Information collected by sensors for a specific authorized purpose potentially could be misused for some unauthorized purpose. For example, GPS sensors that are used to support traffic navigation could be misused to track movements of individuals. Measures to mitigate such activities include, for example, additional training to ensure that authorized parties do not abuse their authority, or (in the case where sensor data/information is maintained by external parties) contractual restrictions on the use of the data/information.

The organization employs the following measures: Assignment: organization-defined measures, so that data or information collected by Assignment: organization-defined sensors is only used for authorized purposes.

SC-42 (3) Prohibit Use Of Devices
For example, organizations may prohibit individuals from bringing cell phones or digital cameras into certain facilities or specific controlled areas within facilities where classified information is stored or sensitive conversations are taking place.

The organization prohibits the use of devices possessing Assignment: organization-defined environmental sensing capabilities in Assignment: organization-defined facilities, areas, or systems.