03.13.12 — (a) Prohibit the remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, A.03.13.12.ODP.01 }}. (b) Provide an explicit indication of use to users physically present at the devices.

What this control requires

(a) Prohibit the remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, A.03.13.12.ODP.01 }}. (b) Provide an explicit indication of use to users physically present at the devices.

Source: NIST SP 800-171 R3 §03.13.12 (official control text).

Why this matters

Collaborative computing devices — cameras, microphones, screen-sharing tools — can be remotely activated by adversaries who compromise endpoints or meeting platforms, turning routine workstations into surveillance instruments. This control prevents unauthorized remote activation and ensures users physically present know when recording or transmission is active. Without explicit indicators and default-off postures, insiders or external attackers can capture sensitive conversations, proprietary designs on whiteboards, or confidential documents visible on screens. The goal is to make covert surveillance technically infeasible and give users immediate visual or audible notice that their device is broadcasting.

What evidence assessors expect

Assessors typically look for: screenshot, photo, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls