Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system purges/wipes information from [FedRAMP Assignment: (H) mobile devices as defined by organization policy] based on [Assignment: organization-defined purging/wiping requirements/techniques] after [FedRAMP Assignment: (H) three (3)] consecutive, unsuccessful device logon attempts.
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement applies only to mobile devices for which a logon occurs (e.g., personal digital assistants, smart phones, tablets). The logon is to the mobile device, not to any one account on the device. Therefore, successful logons to any accounts on mobile devices reset the unsuccessful logon count to zero. Organizations define information to be purged/wiped carefully in order to avoid over purging/wiping which may result in devices becoming unusable. Purging/wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms. Related controls: AC-19, MP-5, MP-6, SC-13.
NIST 800-53 (r5) Discussion:
A mobile device is a computing device that has a small form factor such that it can be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Purging or wiping the device applies only to mobile devices for which the organization-defined number of unsuccessful logons occurs. The logon is to the mobile device, not to any one account on the device. Successful logons to accounts on mobile devices reset the unsuccessful logon count to zero. Purging or wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms.
38North Guidance:
Meets Minimum Requirement:
In scope are mobile devices as defined by system boundary and organization policy
Three (3) is the number of of consecutive, unsuccessful logon attempts allowed for accessing mobile devices before the information system purges/wipes information from such devices.
Organization-defined purging/wiping requirements/techniques are used.
Best Practice:
Do not permit mobile devices within the FedRAMP environment. If mobile devices are permitted then maintain an accurate inventory and clear and defined policy and procedures for what the mobile devices are permitted to do and what the purge/wipe settings are for when the threshold of 3 unsuccessful logins is reached.
Unofficial FedRAMP Guidance: None.
Assessment Evidence:
Policy and procedures demonstrating if mobile devices are permitted and if they are what are the purge/wipe procedures.
Inventory of all mobile devices within the FedRAMP boundary and host inventory scan results to verify if mobile devices are in the environment.
Email notification to system administrators that a users account for a mobile devices has been locked.
Security Information and Event Management (SIEM) alerts or a dashboard showing accounts for mobile devices that were locked out after invalid attempts.
Tickets that demonstrate the unlocking or resetting passwords for mobile devices accounts that were locked after the 3 consecutive invalid login threshold was met.
Screen shots of a mobile device that was purged/wiped after 3 invalid unsuccessful logon attempts.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse