MDM-11: Restricting Access To Authorized Technology Assets, Applications and/or Services (TAAS)
Mechanisms exist to restrict the connectivity of unauthorized mobile devices from communicating with organizational Technology Assets, Applications and/or Services (TAAS).
Control Question: Does the organization restrict the connectivity of unauthorized mobile devices from communicating with organizational Technology Assets, Applications and/or Services (TAAS)?
General (4)
| Framework | Mapping Values |
|---|---|
| NIST 800-171 R3 (source) | 03.01.18.b |
| Shared Assessments SIG 2025 | M.1.2 |
| SCF CORE ESP Level 2 Critical Infrastructure | MDM-11 |
| SCF CORE ESP Level 3 Advanced Threats | MDM-11 |
EMEA (2)
| Framework | Mapping Values |
|---|---|
| EMEA Saudi Arabia CSCC-1 2019 | 2-5-1-1 |
| EMEA Saudi Arabia SACS-002 | TPC-84 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.01.18.B |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to restrict the connectivity of unauthorized mobile devices from communicating with organizational Technology Assets, Applications and/or Services (TAAS).
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to restrict the connectivity of unauthorized mobile devices from communicating with organizational Technology Assets, Applications and/or Services (TAAS).
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to restrict the connectivity of unauthorized mobile devices from communicating with organizational Technology Assets, Applications and/or Services (TAAS).
Level 3 — Well Defined
Mobile Device Management (MDM) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- An Identity & Access Management (IAM) function, or similar function, performs the implementation of access controls for mobile devices that restricts the connectivity of mobile devices from communicating with organizational Technology Assets, Applications and/or Services (TAAS).
- Organization-owned mobile devices are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information stored on the device, and conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including cryptographic protections for sensitive/regulated data.
- MDM software is used to restrict the data that is stored/processed/transmitted on organization-owned and/ or applicable Bring Your Own Device (BYOD) (e.g., personal devices) across the entire organization.
- MDM enforces a separate device workspace on applicable mobile devices to separate work-related and personal-related applications and data.
- Technologies are configured to use cryptographic mechanisms to protect the confidentiality and integrity of information on mobile devices through full-device or container encryption.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to restrict the connectivity of unauthorized mobile devices from communicating with organizational Technology Assets, Applications and/or Services (TAAS).
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to restrict the connectivity of unauthorized mobile devices from communicating with organizational Technology Assets, Applications and/or Services (TAAS).
Assessment Objectives
- MDM-11_A01 the connectivity of unauthorized mobile devices is restricted from communicating with systems, applications and services.