Skip to main content

AST-25: Re-Imaging Devices After Travel

AST 8 — High Protect

Mechanisms exist to re-image end user technology (e.g., laptops and mobile devices) when returning from overseas travel to an authoritarian country with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies.

Control Question: Does the organization re-image end user technology (e.g., laptops and mobile devices) when returning from overseas travel to an authoritarian country with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies?

General (5)
Framework Mapping Values
NIST 800-171 R3 (source) 03.04.12.b
NIST 800-171A R3 (source) A.03.04.12.b
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) AST-25
SCF CORE ESP Level 2 Critical Infrastructure AST-25
SCF CORE ESP Level 3 Advanced Threats AST-25
APAC (1)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-1300 ISM-1556
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.04.12.B

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to re-image end user technology (e.g., laptops and mobile devices) when returning from overseas travel to an authoritarian country with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to re-image end user technology (e.g., laptops and mobile devices) when returning from overseas travel to an authoritarian country with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies.

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to re-image end user technology (e.g., laptops and mobile devices) when returning from overseas travel to an authoritarian country with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies.

Level 3 — Well Defined

Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
  • An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
  • Technology assets and data are categorized according to data classification and business criticality criteria.
  • A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
  • Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.
  • ITAM reimages the devices prior to re-issue.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to re-image end user technology (e.g., laptops and mobile devices) when returning from overseas travel to an authoritarian country with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to re-image end user technology (e.g., laptops and mobile devices) when returning from overseas travel to an authoritarian country with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies.

Assessment Objectives

  1. AST-25_A01 upon return from travel to authoritarian counties, the issued temporary, loaner or "travel-only" end user technology (e.g., laptops and mobile devices) is wiped / re-imaged before being re-issued.
  2. AST-25_A02 organization-defined security requirements are applied to the system or system components when the individuals return from travel.
  3. AST-25_A03 the following security requirements are applied to the system or system components when the individuals return from travel: <A.03.04.12.ODP[02]: security requirements>.

Technology Recommendations

Micro/Small

  • IT Asset Management (ITAM) program

Small

  • IT Asset Management (ITAM) program

Medium

  • IT Asset Management (ITAM) program

Large

  • IT Asset Management (ITAM) program

Enterprise

  • IT Asset Management (ITAM) program

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free