SC-15 Collaborative Computing Devices (L) (M) (H)

NIST 800-53 (r4) Control:

The information system:

(a) Prohibits remote activation of collaborative computing devices with the following exceptions: [FedRAMP Assignment: (M)(H) no exceptions] and

(b) Provides an explicit indication of use to users physically present at the devices.

SC-15 Additional FedRAMP Requirements and Guidance:

Requirement: The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

NIST 800-53 (r4) Supplemental Guidance:

Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated. Related control: AC-21.

NIST 800-53 (r5) Discussion:

Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated.

38North Guidance:

Meets Minimum Requirement:

• Configure collaborative computing devices so that they cannot be activated remotely.

• All users should receive a notification when a collaborative computing device is in use. Notification can include an indicator light that turns on when in use, or a specific text window that appears on screen. If a device does not have the means to alert a user when in use, the organization should provide manual means. Manual means can include, as necessary:

  • Paper notification on entryways; and

  • Locking entryways when a collaborative computing device is in use.

Best Practice:

• Disable or remove collaborative computing devices from the authorization boundary.

Unofficial FedRAMP Guidance:

• None

Assessment Evidence:

• For each collaborative computing device, a configuration showing that remote activation is disabled.

• Demonstration or evidence showing that collaborative computing devices are prohibited from use within the authorization boundary.

CSP Implementation Tips:

• Amazon Web Services (AWS): TBD

• Microsoft Azure: TBD

• Google Cloud Platform: TBD