Sanity-Check: When can you use Cameras and Web-Cams in Secure Spaces?

Reading RMF, NIST, and other Government documentation can be overwhelming, but it doesn't have to be. If your looking for an answer to this question here is a great place to start.

Air Force Specific:

According to AIR FORCE MANUAL 17-1301  

Section 4.13.1 and section 4.2

The use of cameras/microphones, including webcams, in unclassified and classified environments must be documented and approved in the information system security authorization package. Webcams must be configured according to Defense Information Systems Agency guidelines to prevent unauthorized access. Webcams must provide a clear visible indication when recording or transmitting video/audio to alert personnel.

AIR FORCE MANUAL 17-1301 Security Takeaways 

The manual emphasizes safeguarding against unauthorized access, data loss, and protecting classified information when using collaborative computing devices like webcams.

It requires taking precautions to prevent exposure of sensitive or classified information when using webcams, such as ensuring sensitive materials are not visible or audible within the webcam's range.

The Army and Marine Corps policies have more explicit requirements for disabling/covering webcams when not in use and in classified environments, but the Air Force manual does not explicitly state this requirement. So while AFMAN 17-1301 does not prohibit webcam usage, it mandates proper documentation, configuration, and security controls to prevent unauthorized access or exposure of sensitive data when using webcams on Air Force networks and systems.

Army

Army USAR Policy “Use of Web Cameras on USAR Managed Network v_0_6_1.pdf” states the following about webcams:

Webcam Restrictions

Webcams on USAR managed networks are disabled by Group Policy Object (GPO) due to security requirements and privacy concerns.

The USARC Chief Information Officer (CIO)/G-6 prohibits webcams with audio, video, recording, or transmission capabilities from areas where classified information is discussed or processed.

• Exceptions and Approvals

The Authorizing Official or Program Information System Security Manager may permit exceptions if documented in the certification and accreditation package, and the USARC CIO/G-6 enforces classification, access, and encryption restrictions. All hardware and software used with a webcam must have a USARC CIO/G-6 Certificate to Operate. Separate requests must be submitted for using external webcams.

• Security Requirements

Personally owned webcams are prohibited for use on USAR networks or official communications. Preventive measures are enforced, such as ensuring no sensitive/classified information is visible, audible, or discussed within the webcam's range. Webcams must be turned off and disabled when not in use, during extended absences, and in secure environments while processing classified information.

• Network Limitations 

The USARC CIO/G-6 may temporarily limit or disable webcam usage to address bandwidth constraints on the network.

USMC 

The USMC has the most specific policy regarding webcams and there need to be covered when not in use, as seen in MARADMIN 263/20 UPDATE section 3.a.7. located here:

 states, "3.a.7. In classified and unclassified government spaces, or while in use during authorized telework, webcams, microphones, and headphones/headsets must be disconnected and/or disabled when not in use. As stated in reference (j), internal/embedded microphones and webcams may be enabled/used on unclassified systems; however, an enterprise policy will be enforced on these peripherals, set to auto-disable the peripheral after one hour if not acknowledged by the user."

The ISSO can grant exceptions as per MARADMIN 263/20.

ISSO takeaway

So the Marine Corps policy explicitly mandates that webcams must be disconnected or disabled (covered being implied as “disabled” ) when not actively in use, both in classified and unclassified government spaces as well as during authorized telework, to prevent unauthorized access or exposure of sensitive information.

Relevant RMF Controls:

• Assessment Procedure SC-15(3).1   CCI 001155 

Description

The organization disables or removes collaborative computing devices from organization-defined information systems or information system components in organization-defined secure work areas.

Organization Guidance

The organization being inspected/assessed implements a process to disable or remove any device used that may incorporate camera, microphone, or smart board capability in secure work areas defined in SC-15 (3), CCI 1156. DoD has defined information systems or information system components as any device used that may incorporate camera, microphone, or smart board capability.

Implementation Guidance

The organization conducting the inspection/assessment obtains and examines the organization defined secure work area to ensure that any device that may incorporate camera, microphone, or smart board capability has been disabled or removed. DoD has defined information systems or information system components as any device used that may incorporate camera, microphone, or smart board capability.

• Assessment Procedure SC-15(3).3    CCI 002451

Description

The organization defines the information systems or information system components from which collaborative computing devices in organization-defined secure work areas are to be disabled or removed.

Implementation Guidance

The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined information systems or information system components as any device used that may incorporate camera, microphone, or smart board capability.

• Assessment Procedure SC-15.3   CCI  001152 

Description

The information system provides an explicit indication of use to users physically present at collaborative computing devices.

Organization Guidance

The organization being inspected/assessed configures the information system to provide an explicit indication of use to users physically present at collaborative computing devices. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1152.

Implementation Guidance

The organization being inspected/assessed configures the information system to provide an explicit indication of use to users physically present at collaborative computing devices. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1152.

• Assessment Procedure SC-42(3).3   CCI  002558

Description

The organization prohibits the use of devices possessing organization-defined environmental sensing capabilities in organization-defined facilities, areas, or systems.

Organization Guidance

The organization being inspected/assessed documents and implements a process to prohibit the use of devices possessing environmental sensing capabilities such as the recording audio or imagery (still or video) or transmitting information (i.e., cell phones, two-way radios) in spaces where Classified information is stored, processed, displayed, or discussed. DoD has defined the environmental sensing capabilities as environmental sensing capabilities such as the recording audio or imagery (still or video) or transmitting information (i.e., cell phones, two-way radios). DoD has defined the facilities, areas, and systems as spaces where Classified information is stored, processed, displayed, or discussed.

Implementation Guidance

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed prohibits the use of devices possessing environmental sensing capabilities such as the recording audio or imagery (still or video) or transmitting information (i.e., cell phones, two way radios) in spaces where Classified information is stored, processed, displayed, or discussed. DoD has defined the environmental sensing capabilities as environmental sensing capabilities such as the recording audio or imagery (still or video) or transmitting information (i.e., cell phones, two way radios). DoD has defined the facilities, areas, and systems as spaces where Classified information is stored, processed, displayed, or discussed.