Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Commercial Mobile Device (CMD) Policy Security Technical Implementation Guide (STIG)

  • Version/Release: V2R5
  • Published: 2016-09-30
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This STIG contains the policy, training, and operating procedure security controls for the use of CMDs in the DoD environment. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil..
a
Site physical security policy must include a statement outlining whether CMDs with digital cameras (still and video) are permitted or prohibited on or in this DoD facility.
Low - V-24953 - SV-30690r4_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-001
Vuln IDs
  • V-24953
Rule IDs
  • SV-30690r4_rule
Mobile devices with cameras are easily used to photograph sensitive information and areas if not addressed. Sites must establish, document, and train on how to mitigate this threat. Security ManagerSystem AdministratorECWN-1
Checks: C-31111r4_chk

This requirement applies to mobile operating system (OS) CMDs. Work with traditional reviewer to review site’s physical security policy. Verify the site addresses CMDs with embedded cameras. If there is no written physical security policy outlining whether CMDs with cameras are permitted or prohibited on or in this DoD facility, this is a finding.

Fix: F-27579r3_fix

Update the security documentation to include a statement outlining whether CMDs with digital cameras (still and video) are allowed in the facility.

b
A data spill (Classified Message Incident (CMI)) procedure or policy must be published for site CMDs.
Medium - V-24955 - SV-30692r6_rule
RMF Control
Severity
Medium
CCI
Version
WIR-SPP-003-01
Vuln IDs
  • V-24955
Rule IDs
  • SV-30692r6_rule
When a data spill occurs on a CMD, classified or sensitive data must be protected to prevent disclosure. After a data spill, the CMD must either be wiped using approved procedures, or destroyed if no procedures are available, so classified or sensitive data is not exposed. If a data spill procedure is not published, the site may not use approved procedures to remediate after a data spill occurs and classified data could be exposed.Other
Checks: C-31114r10_chk

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). In accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or “data spill” occurs when a classified email is inadvertently sent on an unclassified network and received on a wireless email device. Classified information may also be transmitted through some other form of file transfer to include web browser downloads and files transferred through tethered connections. CMDs are not authorized for processing classified data. A data spill also occurs if a classified document is attached to an otherwise unclassified email. For BlackBerry and Good Mobile Messaging systems, a data spill will only occur if the classified attached document is viewed or opened by the CMD user since the CMD system only downloads an attachment on the CMD if the user views or opens the attachment. The site's Incident Handling and Response procedures should reference NSA/CSS Storage Device Declassification Manual 9-12, Section 5, for smartphone destruction procedures. Check Procedures: Interview the ISSO. Verify classified incident handling, response, and reporting procedures are documented in site CMD procedures or security policies. If classified incident handling, response, and reporting procedures are not documented in site CMD procedures or security policies, this is a finding. This requirement applies at both sites where CMDs are issued and managed and at sites where the CMD management server is located. - At the CMD management server site, verify Incident Handling and Response procedures include actions to sanitize the CMD management server and email servers (e.g., Exchange, Oracle mail). - At CMD sites, verify Incident Handling and Response procedures include actions for incident reporting and actions to safeguard classified smartphone devices. The following actions will be followed for all CMDs involved in a data spill: If Incident Handling and Response procedures do not include required information, this is a finding.

Fix: F-27582r3_fix

Publish a Classified Message Incident (CMI) procedure or policy for the site.

c
If a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site must follow required data spill procedures.
High - V-24957 - SV-30694r5_rule
RMF Control
Severity
High
CCI
Version
WIR-SPP-003-02
Vuln IDs
  • V-24957
Rule IDs
  • SV-30694r5_rule
If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel.System Administrator
Checks: C-31115r8_chk

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). If a data spill occurs on a CMD, the following actions must be completed: - The CMD management server and email servers (i.e., Exchange, Oracle mail, etc.) are handled as classified systems until they are sanitized according to appropriate procedures. (See NSA/CSS Storage Device Declassification Manual 9-12 for sanitization procedures.) - The CMD is handled as a classified device and destroyed according to DoD guidance for destroying classified equipment or sanitized as directed in Check WIR-SPP-003-01. Check Procedures: Interview the ISSO. Determine if the site has had a data spill within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. If the site had a data spill within the previous 24 months and required procedures were not followed, this is a finding.

Fix: F-27583r4_fix

Follow required procedures after a data spill occurs.

a
Required procedures must be followed for the disposal of CMDs.
Low - V-24958 - SV-30695r6_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-004
Vuln IDs
  • V-24958
Rule IDs
  • SV-30695r6_rule
If appropriate procedures are not followed prior to disposal of a CMD, an adversary may be able to obtain sensitive DoD information or learn aspects of the configuration of the device that might facilitate a subsequent attack.System Administrator
Checks: C-31118r8_chk

This requirement applies to mobile operating system (OS) CMDs. Prior to disposing of a CMD (for example, if a CMD is transferred to another DoD or government agency), follow the disposal procedures found in the mobile operating system STIG Supplemental document. Interview the ISSO. Verify proper procedures are being followed and the procedures are documented. Check to see how retired, discarded, or transitioned CMDs were disposed of during the previous 6 – 12 months and verify compliance with requirements. If procedures are not documented or if documented, they were not followed, this is a finding.

Fix: F-27586r3_fix

Follow required procedures prior to disposing of a CMD or transitioning it to another user.

c
Mobile operating system (OS) based CMDs and systems must not be used to send, receive, store, or process classified messages unless specifically approved by NSA for such purposes and NSA approved transmission and storage methods are used.
High - V-24960 - SV-30697r5_rule
RMF Control
Severity
High
CCI
Version
WIR-SPP-005
Vuln IDs
  • V-24960
Rule IDs
  • SV-30697r5_rule
DoDD 8100.2 states wireless devices will not be used for classified data unless approved for such use. Classified data could be exposed to unauthorized personnel.System Administrator
Checks: C-31119r7_chk

Interview the ISSO. Verify written policy and training material exists (or requirement is listed on a signed user agreement) stating if and when CMDs can be used to transmit classified information. If written policy or training material does not exist, stating if and when CMDs can be used to receive, transmit, or process classified information, this is a finding.

Fix: F-27587r5_fix

Publish written policy or training material stating if and when CMDs can be used to process, send, or receive classified information.

a
Mobile device users must complete training on required content before being provided mobile devices or allowed access to DoD networks with a mobile device.
Low - V-24961 - SV-30698r6_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-006-01
Vuln IDs
  • V-24961
Rule IDs
  • SV-30698r6_rule
Users are the first line of security controls for CMD systems. They must be trained in using CMD security controls or the system could be vulnerable to attack.System Administrator
Checks: C-31120r20_chk

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. All mobile device users must receive required training on the following topics before they are provided a mobile device or allowed access to DoD networks with a mobile device. Training is divided into two groups: Group A (general topics) and Group B (device specific topics). DISA’s Smartphones and Tablets security course satisfies the requirement for Group A training topics. The course is located at: http://iase.disa.mil/eta/smartphone_tablet_v1/launchpage.htm. a. Requirement that personally-owned PEDs are not used to transmit, receive, store, or process DoD information unless approved by the AO and the owner signs forfeiture agreement in case of a security incident. b. Procedures for wireless device usage in and around classified processing areas. c. Requirement that PEDs with digital cameras (still and video) are not allowed in any SCIF or other areas where classified documents or information is stored, transmitted, or processed. d. Procedures for a data spill. e. Requirement that Over-The-Air (OTA) wireless software updates should only come from DoD-approved sources. f. When CMD Wi-Fi Service is used, the following training will be completed: - Procedures for setting up a secure Wi-Fi connection and verifying the active connection is to a known access point. - Approved connection options (i.e., enterprise, home, etc.). - Requirements for home Wi-Fi connections. - The Wi-Fi radio will be disabled by the user whenever a Wi-Fi connection is not being used. - The Wi-Fi radio must never be enabled while the CMD is connected via a cable to a PC. g. Do not discuss FOUO or classified information on non-secure (devices whose cryptographic modules protecting data in transit are not FIPS 140-2 certified or NSA Type-1 certified for voice) cellular phones, cordless phones, and two-way radios used for voice communications. h. Do not connect PDAs, smartphones, and tablets to any workstation that stores, processes, or transmits classified data.. i. The installation of user owned applications, including geo-location aware applications, on the mobile device will be based on the Command’s Mobile Device Personal Use Policy. j. The use of the mobile OS device to view and/or download personal email will be based the Command’s Mobile Device Personal Use Policy. k. The download of user owned data (music files, picture files, etc.) on the mobile device will be based the Command’s Mobile Device Personal Use Policy. l. All radios on the mobile device (Wi-Fi, Bluetooth, near-field communications (NFC)) must be turned off when not needed. This does not apply to radios supporting voice and data communication over a wireless carrier’s cellular network, in which case continuous connectivity is permissible. m. Procedure on how to disable Location Services on the device. Location Services must be disabled for all applications or enabled only for applications approved by the AO for location based services. n. Connecting PDAs, smartphones, and tablets to any DoD workstation via a USB connection is prohibited. Note: Listing training requirements in the User Agreement is an acceptable procedure for informing/training users on many of the required training topics. Check Procedures: - Review site CMD training material to see if it contains the required content. Note: Some training content may be listed in the User Agreement signed by the user. - Verify site training records show that CMD users received required training and training occurred before the user was issued a CMD. Check training records for approximately five users, picked at random. If training material does not contain required content, this is a finding.

Fix: F-27591r4_fix

Have all mobile device users complete training on required content.

a
The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen.
Low - V-24962 - SV-30699r6_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-007-01
Vuln IDs
  • V-24962
Rule IDs
  • SV-30699r6_rule
Sensitive DoD data could be stored in memory on a DoD operated mobile operating system (OS) based CMD and the data could be compromised if required actions are not followed when a CMD is lost or stolen. Without procedures for lost or stolen mobile operating system (OS) based CMD devices, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.System Administrator
Checks: C-31122r9_chk

Detailed Policy Requirements: The site (location where CMDs are issued and managed and the site where the mobile operating system (OS) based CMD management server is located) must publish procedures to follow if a CMD has been lost or stolen. The procedures should include (as appropriate): - Mobile device user notifies ISSO, SM, and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. - The ISSO notifies the mobile device management server system administrator and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. The site mobile device management server administrator sends a wipe command to the CMD and then disables the user account on the management server or removes the CMD from the user account. - The site will contact the carrier to have the device deactivated on the carrier’s network. Check procedures: Interview the ISSO. Review the site’s Incident Response Plan or other policies to determine if the site has a written plan of action. If the site does not have a written plan of action following a lost or stolen CMD, this is a finding.

Fix: F-27603r2_fix

Publish procedures to follow if a mobile operating system (OS) based CMD is lost or stolen.

a
The mobile device system administrator must perform a wipe command on all new or reissued CMDs and a STIG-compliant IT policy will be pushed to the device before issuing it to DoD personnel.
Low - V-24963 - SV-30700r5_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-008-01
Vuln IDs
  • V-24963
Rule IDs
  • SV-30700r5_rule
Malware can be installed on the device at some point between shipping from the factory and delivery to DoD. The malware could result in the compromise of sensitive DoD information or result in the introduction of malware within the DoD network.System Administrator
Checks: C-31126r7_chk

Detailed Policy Requirements: The CMD system administrator must perform a wipe command on all new or reissued CMDs, reload system software, and load a STIG-compliant security policy on the CMD before issuing it to DoD personnel and placing the device on a DoD network. The intent is to return the device to the factory state before the DoD software baseline is installed. When wireless activation is performed, the activation password is passed to the user in a secure manner (e.g., activation password is encrypted and emailed to an individual). Check Procedures: Interview the ISSO. Verify required procedures are followed. If required procedures were not followed, this is a finding.

Fix: F-27597r3_fix

Perform a wipe command on all new or reissued mobile devices.

a
Mobile device software updates must only originate from approved DoD sources.
Low - V-24964 - SV-30701r4_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-008-02
Vuln IDs
  • V-24964
Rule IDs
  • SV-30701r4_rule
Users must not accept Over-The-Air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and approved by the ISSO. Unauthorized/unapproved software updates could include malware or cause a degradation of the security posture of the CMD and DoD network infrastructure. All software updates should be reviewed and/or tested by the smartphone system administrator and originate from a DoD source or DoD-approved source. Wireless software updates should be pushed from the CMD management server, when this feature is available.System AdministratorECWN-1
Checks: C-31127r8_chk

Detailed Policy Requirements: Software updates must come from either DoD sources or DoD-approved sources. CMD system administrators should push OTA software updates from the CMD management server, when this feature is available. Otherwise the site administrator should verify the non-DoD source of the update has been approved by IT management. Check Procedures: Interview the ISSO and CMD management server system administrator. -Verify the site mobile device handheld and mobile device management server administrators are aware of the requirements. -Determine what procedures are used at the site for installing software updates on site-managed CMDs. If the site does not have procedures in place, so users can down-load software updates from a DoD source or DoD-approved source, this is a finding.

Fix: F-27598r3_fix

Ensure CMD software updates originate from DoD sources or approved non-DoD sources only. Users do not accept Over-The-Air (OTA) wireless software updates from non-approved sources.

a
Required actions must be followed at the site when a CMD has been lost or stolen.
Low - V-24969 - SV-30706r5_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-007-02
Vuln IDs
  • V-24969
Rule IDs
  • SV-30706r5_rule
If procedures for lost or stolen CMDs are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.System AdministratorECSC-1
Checks: C-31133r4_chk

Interview the ISSO. Determine if any site mobile devices were reported lost or stolen within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. If the site had a lost or stolen mobile device within the previous 24 months and required procedures were not followed, this is a finding.

Fix: F-27592r3_fix

Follow required actions when a CMD is reported lost or stolen.

a
Mobile users must complete required training annually.
Low - V-28317 - SV-36045r5_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-006-02
Vuln IDs
  • V-28317
Rule IDs
  • SV-36045r5_rule
Users are the first line of security controls for CMD systems. They must be trained in using CMD security controls or the system could be vulnerable to attack. If training is not renewed on an annual basis, users may not be informed of new security procedures or may forget previously trained procedures, which could lead to an exposure of sensitive DoD information.System AdministratorPETN-1
Checks: C-35165r7_chk

This requirement applies to mobile operating system (OS) CMDs. All CMD users must receive required training annually. If training records do not show users receiving required training at least annually, this is a finding.

Fix: F-30413r2_fix

Complete required training annually for all CMD users.

c
A security risk analysis must be performed on a mobile application by the Authorizing Official (AO) or AO-authorized authority prior to the application being approved for use.
High - V-32677 - SV-43023r4_rule
RMF Control
Severity
High
CCI
Version
WIR-SPP-021
Vuln IDs
  • V-32677
Rule IDs
  • SV-43023r4_rule
Non-approved applications can contain malware. Approved applications should be reviewed and tested by the AO to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). System Administrator
Checks: C-41050r9_chk

Detailed Requirements: Core applications are applications included in the mobile device operating system. Applications added by the wireless carrier are not considered core applications. A security risk analysis must be performed by the AO or AO-approved approval authority prior to a mobile OS application being approved for use. - The application review and approval process must include an evaluation of what OS level permissions are required by the application and how the application shares data and memory space with other applications. The review process must also ensure: - Approved applications do not contain malware or share data stored on the mobile OS device with non-DoD servers. Check Procedures: Ask the site for documentation showing what security risk analysis procedures are used by the AO prior to approving non-core applications for use. Determine if the procedures include an evaluation of the following: - What OS level permissions are required by the application? - The application does not contain malware. - The application does not share data stored on the CMDs with non-DoD servers. - If the application stores sensitive data, the application data storage container uses FIPS 140-2 validated cryptographic module. If a security review was not conducted on approved applications or the application security risk review procedures do not contain the required risk assessment evaluation tasks, this is a finding.

Fix: F-36582r3_fix

Have AO or Command IT CCB use the required procedures to review mobile applications prior to approving them.