Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

General Mobile Device Policy (Non-Enterprise Activated) Security Technical Implementation Guide

  • Version/Release: V1R4
  • Published: 2013-07-03
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This STIG provides policy, training, and operating procedure security controls for the use of mobile devices (smartphone and tablets) that are not authorized to be connected to a DoD network or store or process sensitive or classified DoD data/information. Non-enterprise activated refers to any device that is operated under the use conditions found in Section 2.1 of the STIG overview document. See section 1.1 of the STIG overview document for additional information.
c
All wireless/mobile systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) must be approved by the approval authority prior to installation and use for processing DoD information.
High - V-8283 - SV-8778r5_rule
RMF Control
Severity
High
CCI
Version
WIR0005
Vuln IDs
  • V-8283
Rule IDs
  • SV-8778r5_rule
Unauthorized wireless systems expose DoD networks to attack. The DAA and appropriate commanders must be aware of all wireless systems used at the site. DAAs should ensure a risk assessment for each system including associated services and peripherals, is conducted before approving. Accept risks only when needed to meet mission requirements.Information Assurance OfficerDesignated Approving AuthorityInformation Assurance ManagerECWN-1
Checks: C-3890r6_chk

Detailed Policy Requirements: For CMDs deployed under an Interim Security Configuration Guide (ISCG) or the DoD CIO’s 6 April 2011 memorandum, Use of Commercial Mobile Devices (CMD) in the Department of Defense (DoD), the approval authority is the Component CIO. The site must have an Interim Authority To Test (IATT) issued by the Component CIO. For all other wireless devices and systems the Designated Approval Authority (DAA) must approve the wireless device or system. Detailed Check Procedures: Work with the site POC to verify documentation. Performed with WIR0016 (equipment list). For CMD systems without a STIG, verify the site has an approved IATT. Mark as a finding if a valid IATT is not available or is not signed by the Component CIO. For all other wireless devices or systems, complete the following: 1. Request copies of written DAA approval documentation. Any of the following documents meets this requirement as proof of compliance: - The DIACAP IA Implementation Plan must show the wireless system as part of the network diagram or list the system/equipment as being part of the network. - DAA approval letter or other document. The document must list the system or equipment and date its use is approved. The DAA approval letter or SSP may be a general statement of approval rather than list each device. 2. Verify DAA approval for type of device used, such as wireless connection services, peripherals, and applications. Mark as a finding for any of the following reasons: - Wireless systems, devices, services, or accessories are in use but DAA approval letter(s) do not exist. - If, in the judgment of the reviewer, configuration differs significantly from that approved by the DAA approval letter. Note: The DAA approval for the wireless system does not need to be documented separately from other DAA approval documents for the site network, as long as the approval documents list the wireless system. For example, if a site network ATO lists the wireless system, the ATO meets the requirements of this check. For Secure Mobile Environment Portable Electronic Device (SME PED), the following applies: - An ATO or an IATO has been signed by the DAA prior to the connection of the unclassified Sensa server to the NIPRNet. - Classified Connection Approval Office (CCAO) approval has been obtained prior to the connection of the classified Sensa server to the SIPRNet. Note: The intent of this check is to ensure the DAA has approved the use of the wireless system being reviewed at the site. This approval can be documented in several ways. The most common is the SSP for the site includes the wireless system and the DAA has signed the SSP. If the command uses an enterprise wide SSP including the wireless system being reviewed and the SSP applies to site being reviewed, then the requirement has been met.

Fix: F-19194r3_fix

Obtain DAA approval (documented by memo or SSP) prior to wireless systems being installed and used. For CMD systems without a STIG, obtain an IATT prior to wireless systems being installed and used.

a
The site IAO must maintain a list of all DAA-approved wireless and non-wireless PED devices that store, process, or transmit DoD information.
Low - V-8284 - SV-8779r5_rule
RMF Control
Severity
Low
CCI
Version
WIR0015
Vuln IDs
  • V-8284
Rule IDs
  • SV-8779r5_rule
The site must maintain a list of all DAA-approved wireless and non-wireless CMDs. Close tracking of authorized wireless devices will facilitate the search for rogue devices. Sites must keep good inventory control over wireless and handheld devices used to store, process, and transmit DoD data since these devices can be easily lost or stolen leading to possible exposure of DoD data.System AdministratorInformation Assurance OfficerDCHW-1
Checks: C-7600r4_chk

Detailed Policy Requirements: This check applies to any wireless end user device (smartphone, tablet, Wi-Fi network interface card, etc.) and wireless network devices (access point, authentication server, etc.). The list of approved wireless devices will be stored in a secure location and will include the following at a minimum: - Access point Media Access Control (MAC) address (WLAN only), - Access point IP address (WLAN only), - Wireless client MAC address, - Network DHCP range (WLAN & WWAN only), - Type of encryption enabled, - Access point SSID (WLAN only), - Manufacturer, model number, and serial number of wireless equipment, - Equipment location, and - Assigned users with telephone numbers. For CMDs: - Manufacturer, model number, and serial number of wireless equipment. - Equipment location or who the device was issued to. - Assigned users with telephone numbers and email addresses. For SME PED: Local commands will keep track of devices by assigning a control number or using the serial number for accountability purposes. Check Procedures: Work with the site POC: 1. Request copies of site’s wireless equipment list. -Detailed SSAA/SSP or database may be used. 2. Verify all minimum data elements listed above are included in the equipment list. 3. Verify all wireless devices used at the site, including infrared mice/keyboards, are included. 4. Verify procedures are in place for ensuring the list is kept updated. 5. Note the date of last update and if the list has many inaccuracies. Mark as a finding if the equipment list does not exist, all data elements are not tracked, or the list is outdated. This check applies to: - Wireless networking devices, such as access points, bridges, and switches. - WLAN client devices, such as laptop computers and PDAs if used with WLAN NICs. - Wireless peripherals, such as Bluetooth, and Infrared mice and keyboards, communications devices, such as VoIP, cellular/satellite telephones, and Broadband NICs, and non-wireless CMDs that store, process, or transmit DoD information.

Fix: F-3728r2_fix

Maintain a list of all DAA-approved WLAN devices. The list must be updated periodically and will contain the data elements required by the STIG policy.

a
All users of mobile devices or wireless devices must sign a user agreement before the mobile or wireless device is issued to the user and the user agreement used at the site must include required content.
Low - V-13982 - SV-14593r4_rule
RMF Control
Severity
Low
CCI
Version
WIR0030
Vuln IDs
  • V-13982
Rule IDs
  • SV-14593r4_rule
Lack of user training and understanding of responsibilities to safeguard wireless technology is a significant vulnerability to the enclave. Once policies are established, users must be trained to these requirements or the risk to the network remains. User agreements are particularly important for mobile and remote users since there is a high risk of loss, theft, or compromise. Thus, this signed agreement is a good best practice to help ensure the site is confirming the user is aware of the risks and proper procedures. Information Assurance OfficerInformation Assurance ManagerECWN-1, PRTN-1
Checks: C-11415r3_chk

Additional Policy Requirements: The user agreements must include DAA authorized tasks for the mobile device and relevant security requirements, including, but not limited to, the following: 1. DoD CIO Memorandum, “Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement,” 9 May 2008 directs the following content will be included in a site User Agreement: STANDARD MANDATORY NOTICE AND CONSENT PROVISION FOR ALL DOD INFORMATION SYSTEM USER AGREEMENTS By signing this document, you acknowledge and consent that when you access Department of Defense (DoD) information systems: - You are accessing a U.S. Government (USG) information system (IS) (which includes any device attached to this information system) that is provided for U.S. Government authorized use only. - You consent to the following conditions: o The U.S. Government routinely intercepts and monitors communications on this information system for purposes including, but not limited to, penetration testing, communications security (COMSEC) monitoring, network operations and defense, personal misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. o At any time, the U.S. Government may inspect and seize data stored on this information system. o Communications using, or data stored on, this information system are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any U.S. Government-authorized purpose. o This information system includes security measures (e.g., authentication and access controls) to protect U.S. Government interests--not for your personal benefit or privacy. o Notwithstanding the above, using an information system does not constitute consent to personnel misconduct, law enforcement, or counterintelligence investigative searching or monitoring of the content of privileged communications or data (including work product) that are related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Under these circumstances, such communications and work product are private and confidential, as further explained below: - Nothing in this User Agreement shall be interpreted to limit the user's consent to, or in any other way restrict or affect, any U.S. Government actions for purposes of network administration, operation, protection, or defense, or for communications security. This includes all communications and data on an information system, regardless of any applicable privilege or confidentiality. - The user consents to interception/capture and seizure of ALL communications and data for any authorized purpose (including personal misconduct, law enforcement, or counterintelligence investigation). However, consent to interception/capture or seizure of communications and data is not consent to the use of privileged communications or data for personnel misconduct, law enforcement, or counterintelligence investigation against any party and does not negate any applicable privilege or confidentiality that otherwise applies. - Whether any particular communication or data qualifies for the protection of a privilege, or is covered by a duty of confidentiality, is determined in accordance with established legal standards and DoD policy. Users are strongly encouraged to seek personal legal counsel on such matters prior to using an information system if the user intends to rely on the protections of a privilege or confidentiality. - Users should take reasonable steps to identify such communications or data that the user asserts are protected by any such privilege or confidentiality. However, the user's identification or assertion of a privilege or confidentiality is not sufficient to create such protection where none exists under established legal standards and DoD policy. - A user's failure to take reasonable steps to identify such communications or data as privileged or confidential does not waive the privilege or confidentiality if such protections otherwise exist under established legal standards and DoD policy. However, in such cases the U.S. Government is authorized to take reasonable actions to identify such communication or data as being subject to a privilege or confidentiality, and such actions do not negate any applicable privilege or confidentiality. - These conditions preserve the confidentiality of the communication or data, and the legal protections regarding the use and disclosure of privileged information, and thus such communications and data are private and confidential. Further, the U.S. Government shall take all reasonable measures to protect the content of captured/seized privileged communications and data to ensure they are appropriately protected. o In cases when the user has consented to content searching or monitoring of communications or data for personnel misconduct, law enforcement, or counterintelligence investigative searching, (i.e., for all communications and data other than privileged communications or data that are related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants), the U.S. Government may, solely at its discretion and in accordance with DoD policy, elect to apply a privilege or other restriction on the U.S. Government's otherwise-authorized use or disclosure of such information. o All of the above conditions apply regardless of whether the access or use of an information system includes the display of a Notice and Consent Banner ("banner"). When a banner is used, the banner functions to remind the user of the conditions that are set forth in this User Agreement, regardless of whether the banner describes these conditions in full detail or provides a summary of such conditions, and regardless of whether the banner expressly references this User Agreement. 2. For SME PED, see the SME PED User Agreement template included with the SME PED STIG for specific requirements. 3. DoD sites are required to add the following to all site User Agreements: - The agreement should contain the type of access required by the user (privileged, end-user, etc.). - The agreement should contain the responsibilities, liabilities, and security measures (e.g., malicious code detection training) involved in the use of the wireless remote access device. - Incident handling and reporting procedures will be identified along with a designated point of contact. - The remote user can be held responsible for damage caused to a Government system or data through negligence or a willful act. - The policy should contain general security requirements and practices, which are acknowledged and signed by the remote user. - If classified devices are used for remote access from an alternative work site, the remote user will adhere to DoD policy in regard to facility clearances, protection, storage, distributing, etc. - Government owned hardware and software is used for official duties only. The employee is the only individual authorized to use this equipment. - User agrees to complete required wireless device training annually. 4. For approved smartphone and tablet devices add to all User Agreements: - Only approved Bluetooth headsets/handsfree devices will be used. Check Procedures: 1. Inspect a copy of the site’s user agreement. 2. Verify the user agreement has the minimum elements described in the STIG policy. 3. Select 10 names of assigned site personnel and verify they have a signed user agreement on file for assigned wireless equipment (e.g., wireless laptop, smartphone, tablet, etc.). Mark as a finding if site user agreements do not exist or are not compliant with the minimum requirements. For SME PED: - Verify the Terminal Administrator (TA) has users reaffirm their User Agreement at least once every 12 months. Review the dates that site User Agreements were signed.

Fix: F-23396r1_fix

Implement User Agreement with required content. Have all users sign a User Agreement.

b
Personnally owned or contractor owned CMDs must not be used to transmit, receive, store, or process DoD information or connect to DoD networks.
Medium - V-15782 - SV-16721r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR0010-01
Vuln IDs
  • V-15782
Rule IDs
  • SV-16721r4_rule
The use of unauthorized personally-owned CMDs to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized people. The DoD CIO currently prohitibits the use of personally owned or contractor owned CMDs (Bring Your Own Device – BYOD).System AdministratorInformation Assurance OfficerDesignated Approving AuthorityECSC-1, ECWN-1
Checks: C-15968r6_chk

Interview the site IAM and IAO and determine if personally owned or contractor owned CMDs (Bring Your Own Device – BYOD) are used at the site to transmit, receive, store, or process DoD information or connect to DoD networks. Mark as a finding if personally owned or contractor owned CMDs (Bring Your Own Device – BYOD) are used to transmit, receive, store, or process DoD information or connect to DoD networks.

Fix: F-4558r2_fix

Prohibit use of personally owned or contractor owned CMDs (Bring Your Own Device – BYOD) at the site to transmit, receive, store, or process DoD information or connect to DoD networks.

a
Site physical security policy must include a statement outlining whether CMDs with digital cameras (still and video) are permitted or prohibited on or in this DoD facility.
Low - V-24953 - SV-30690r3_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-001
Vuln IDs
  • V-24953
Rule IDs
  • SV-30690r3_rule
Mobile devices with cameras are easily used to photograph sensitive information and areas if not addressed. Sites must establish, document, and train on how to mitigate this threat. Information Assurance OfficerSecurity ManagerECWN-1
Checks: C-31111r3_chk

This requirement applies to mobile operating system (OS) CMDs. Work with traditional reviewer to review site’s physical security policy. Verify the site addresses CMDs with embedded cameras. - Mark this as a finding if there is no written physical security policy outlining whether CMDs with cameras are permitted or prohibited on or in this DoD facility.

Fix: F-27579r3_fix

Update the security documentation to include a statement outlining whether CMDs with digital cameras (still and video) are allowed in the facility.

b
A data spill (Classified Message Incident (CMI)) procedure or policy must be published for site CMDs.
Medium - V-24955 - SV-30692r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR-SPP-003-01
Vuln IDs
  • V-24955
Rule IDs
  • SV-30692r4_rule
When a data spill occurs on a CMD, classified or sensitive data must be protected to prevent disclosure. After a data spill, the CMD must either be wiped using approved procedures, or destroyed if no procedures are available, so classified or sensitive data is not exposed. If a data spill procedure is not published, the site may not use approved procedures to remediate after a data spill occurs and classified data could be exposed.Information Assurance OfficerVIIR-1, VIIR-2
Checks: C-31114r4_chk

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). In accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or “data spill” occurs when a classified email is inadvertently sent on an unclassified network and received on a wireless email device. Classified information may also be transmitted through some other form of file transfer to include web browser downloads and files transferred through tethered connections. CMDs are not authorized for processing classified data. A data spill also occurs if a classified document is attached to an otherwise unclassified email. For BlackBerry and Good Mobile Messaging systems, a data spill will only occur if the classified attached document is viewed or opened by the CMD user since the CMD system only downloads an attachment on the CMD if the user views or opens the attachment. The site's Incident Handling and Response procedures should reference NSA/CSS Storage Device Declassification Manual 9-12, Section 5, for smartphone destruction procedures. Check Procedures: Interview the IAO. Verify classified incident handling, response, and reporting procedures are documented in site CMD procedures or security policies. Mark as a finding if classified incident handling, response, and reporting procedures are not documented in site CMD procedures or security policies. This requirement applies at both sites where CMDs are issued and managed and at sites where the CMD management server is located. ---At the CMD management server site, verify Incident Handling and Response procedures include actions to sanitize the CMD management server and email servers (e.g., Exchange, Oracle mail). ---At CMD sites, verify Incident Handling and Response procedures include actions for incident reporting and actions to safeguard classified smartphone devices. The following actions will be followed for all CMDs involved in a data spill: -BlackBerry CMDs: follow procedures in the DoD Data Spill Procedures Guide for BlackBerry Smartphones located at http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html. -Windows Mobile, Android, and iOS CMDs: the CMD will be destroyed. Mark as a finding if Incident Handling and Response procedures do not include required information.

Fix: F-27582r3_fix

Publish a Classified Message Incident (CMI) procedure or policy for the site.

c
If a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site must follow required data spill procedures.
High - V-24957 - SV-30694r3_rule
RMF Control
Severity
High
CCI
Version
WIR-SPP-003-02
Vuln IDs
  • V-24957
Rule IDs
  • SV-30694r3_rule
If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel.System AdministratorInformation Assurance OfficerVIIR-1, VIIR-2
Checks: C-31115r3_chk

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). If a data spill occurs on a CMD, the following actions must be completed: - The CMD management server and email servers (i.e., Exchange, Oracle mail, etc.) are handled as classified systems until they are sanitized according to appropriate procedures. (See NSA/CSS Storage Device Declassification Manual 9-12 for sanitization procedures.) - The CMD is handled as a classified device and destroyed according to DoD guidance for destroying classified equipment or sanitized as directed in Check WIR-SPP-003-01. Check Procedures: Interview the IAO. Determine if the site has had a data spill within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. Mark as a finding if the site had a data spill within the previous 24 months and required procedures were not followed.

Fix: F-27583r4_fix

Follow required procedures after a data spill occurs.

a
Required procedures must be followed for the disposal of CMDs.
Low - V-24958 - SV-30695r4_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-004
Vuln IDs
  • V-24958
Rule IDs
  • SV-30695r4_rule
If appropriate procedures are not followed prior to disposal of a CMD, an adversary may be able to obtain sensitive DoD information or learn aspects of the configuration of the device that might facilitate a subsequent attack.System AdministratorInformation Assurance OfficerECSC-1, PECS-1
Checks: C-31118r5_chk

This requirement applies to mobile operating system (OS) CMDs. Prior to disposing of a CMD (for example, if a CMD is transferred to another DoD or government agency), follow the disposal procedures found in the STIG Technology Overview document of the STIG for the CMD of interest. For example, look in the BlackBerry Overview document in the BlackBerry STIG for the disposal procedures for a BlackBerry smartphone. Interview the IAO. Verify proper procedures are being followed and the procedures are documented. Check to see how retired, discarded, or transitioned CMDs were disposed of during the previous 6 – 12 months and verify compliance with requirements. Mark as a finding if procedures are not documented or if documented, they were not followed.

Fix: F-27586r3_fix

Follow required procedures prior to disposing of a CMD or transitioning it to another user.

c
Mobile operating system (OS) based CMDs and systems must not be used to send, receive, store, or process classified messages unless specifically approved by NSA for such purposes and NSA approved transmission and storage methods are used.
High - V-24960 - SV-30697r3_rule
RMF Control
Severity
High
CCI
Version
WIR-SPP-005
Vuln IDs
  • V-24960
Rule IDs
  • SV-30697r3_rule
DoDD 8100.2 states wireless devices will not be used for classified data unless approved for such use. Classified data could be exposed to unauthorized personnel.Information Assurance OfficerECWN-1
Checks: C-31119r4_chk

Interview the IAO. Verify written policy and training material exists (or requirement is listed on a signed user agreement) stating CMDs must not be used to transmit classified information unless approved for use. Mark as a finding if written policy or training material does not exist, stating CMDs must not be used to receive, transmit, or process classified information.

Fix: F-27587r4_fix

Publish written policy or training material stating CMDs must not process, send, or receive classified information unless approved for use.

a
Mobile device users must complete training on required content before being provided mobile devices or allowed access to DoD networks with a mobile device.
Low - V-24961 - SV-30698r4_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-006-01
Vuln IDs
  • V-24961
Rule IDs
  • SV-30698r4_rule
Users are the first line of security controls for CMD systems. They must be trained in using CMD security controls or the system could be vulnerable to attack.System AdministratorInformation Assurance OfficerPETN-1
Checks: C-31120r13_chk

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. All mobile device users must receive required training on the following topics before they are provided a mobile device or allowed access to DoD networks with a mobile device. Training is divided into two groups: Group A (general topics) and Group B (device specific topics). DISA’s Smartphones and Tablets security course satisfies the requirement for Group A training topics. The course is located at: http://iase.disa.mil/eta/smartphone_tablet_v1/launchpage.htm. Group A – General Topics a. Requirement that personally-owned PEDs are not used to transmit, receive, store, or process DoD information unless approved by the DAA and the owner signs forfeiture agreement in case of a security incident. b. Procedures for wireless device usage in and around classified processing areas. c. Requirement that PEDs with digital cameras (still and video) are not allowed in any SCIF or other areas where classified documents or information is stored, transmitted, or processed. d. Procedures for a data spill. e. Requirement that wireless email devices and systems are not used to send, receive, store, or process classified messages (does not apply to the SME PED). f. Requirement that CMDs and systems will not be connected to classified DoD networks or information systems. g. Requirement that a user immediately notify appropriate site contacts (i.e., IAO, CMD management server administrator, supervisor, etc.) when his/her CMD has been lost or stolen. h. Secure Bluetooth Smart Card Reader (SCR) usage: --Secure pairing procedures. --Perform secure pairing immediately after the SCR is reset. --Accept only Bluetooth connection requests from devices they control. --Monitor Bluetooth connection requests and activity in order to detect possible attacks and unauthorized activity. i. Procedures on how to sign and encrypt email. j. If Short Message Service (SMS) and/or Multi-media Messaging Service (MMS) are used, IA awareness training material should include SMS/MMS security issues. k. Requirement that Over-The-Air (OTA) wireless software updates should only come from DoD approved sources. l. When CMD Wi-Fi Service is used, the following training will be completed: --Procedures for setting up a secure Wi-Fi connection and verifying the active connection is to a known access point. --Approved connection options (i.e., enterprise, home, etc.). --Requirements for home Wi-Fi connections. --The Wi-Fi radio will be disabled by the user whenever a Wi-Fi connection is not being used. --The Wi-Fi radio must never be enabled while the CMD is connected to a PC. m. Do not discuss sensitive or classified information on non-secure (devices not FIPS 140-2 certified or NSA Type-1 certified for voice) cellular phones, cordless phones, and two-way radios used for voice communications. n. Do not connect PDAs, smartphones, and tablets to any workstation that stores, processes, or transmits classified data. (Exception: SME PED). o. The installation of user owned applications, including geo-location aware applications, on the mobile device will be based on the Command’s Mobile Device Personal Use Policy. p. The use of the mobile OS device to view and/or download personal email will be based the Command’s Mobile Device Personal Use Policy. q. The download of user owned data (music files, picture files, etc.) on the mobile device will be based the Command’s Mobile Device Personal Use Policy. r. The use of the mobile device to connect to user social media web accounts will be based the Command’s Mobile Device Personal Use Policy. s. When the Bluetooth radio is authorized for use with an approved smartcard reader or handsfree headset, the user will disable the Bluetooth radio whenever a Bluetooth connection is not being used. t. All radios on the mobile device (Wi-Fi, Bluetooth, near-field communications (NFC)) must be turned off when not needed. u. Procedure on how to disable Location Services on the device. Location Services must be disabled for all applications or enabled only for applications approved by the DAA for location based services. Group B – Device Specific Topics Additional BlackBerry requirements: a. If the use of the BlackBerry Keeper is approved by the DAA, users are trained on password configuration and change requirements. --Passwords must be changed at least every 90 days. b. When SCR is used with a PC, users with PC administrative rights will not disable the RIM Bluetooth Lockdown tool on the PC. c. When using an approved Bluetooth headset or handsfree device the following procedures will be followed: -The user will pair only an approved device to the BlackBerry handheld. -If the user receives a request for Bluetooth pairing on their BlackBerry handheld from a Bluetooth device other than their smart card reader (CAC reader) or headset, the request will not be accepted by the user. -Pairing of a Bluetooth headset with the BlackBerry handheld will be completed in a non-public area whenever possible. Additional iOS device (iPhone and iPad) requirements: a. Procedure on how to disable the device Bluetooth radio when not being used. b. Procedure on how to disable the device Wi-Fi radio when not being used. c. Procedure to disable "Ask to Join Networks" Wi-Fi feature. This feature must be disabled at all times. d. iMessage should be considered an unsecure messaging application, similar to cellular SMS. Sensitive information should not be sent via iMessage. e. Procedure for not allowing applications access to PIM date (calendar, address book, etc.) when prompted during application install. The only allowed exception is for the secure email application (for example, the Good application). f. Procedure for not allowing applications access to iOS device Personal Information Manager (PIM) data (calendar, contacts, notes, etc.) when prompted during application installation. The only allowed exception is for the DoD email application (for example, the Good Technology app). Additional Android requirements: a. Procedure on how to disable the device Bluetooth radio when not being used. b. Procedure on how to disable the device Wi-Fi radio when not being used. Additional training requirements for mobile device not authorized to connect to a DoD network or store/process sensitive DoD information (Non-Enterprise activated). a. Mobile Device (Non-Enterprise Activated) must not be connected to a DoD wired or wireless network. Allowed exception: the device can be connected to a DoD managed Internet-Gateway-only connected Wi-Fi access point (AP). b. Mobile Device (Non-Enterprise Activated) must not have sensitive or classified data stored or processed on the device. c. Mobile Device (Non-Enterprise Activated) must not be used to connect to a DoD email system. d. The user will read and be familiar with the local site and/or Command must publish a Personal Use Policy for site/Command managed or owned CMDs. Additional BlackBerry Playbook Tablet requirements: When using BlackBerry Bridge, the user will not attach files saved on the Playbook to email messages sent on the BlackBerry smartphone. Note: Listing training requirements in the User Agreement is an acceptable procedure for informing/training users on many of the required training topics. Check Procedures: - Review site CMD training material to see if it contains the required content. Note: Some training content may be listed in the User Agreement signed by the user. - Verify site training records show that CMD users received required training and training occurred before the user was issued a CMD. Check training records for approximately five users, picked at random. Mark as a finding if training material does not contain required content.

Fix: F-27591r4_fix

Have all mobile device users complete training on required content.

a
The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen.
Low - V-24962 - SV-30699r4_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-007-01
Vuln IDs
  • V-24962
Rule IDs
  • SV-30699r4_rule
Sensitive DoD data could be stored in memory on a DoD operated mobile operating system (OS) based CMD and the data could be compromised if required actions are not followed when a CMD is lost or stolen. Without procedures for lost or stolen mobile operating system (OS) based CMD devices, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.Information Assurance OfficerECSC-1, VIIR-1, VIIR-2
Checks: C-31122r4_chk

Detailed Policy Requirements: The site (location where CMDs are issued and managed and the site where the mobile operating system (OS) based CMD management server is located) must publish procedures to follow if a CMD has been lost or stolen. The procedures should include (as appropriate): -Mobile device user notifies IAO, SM, and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. -The IAO notifies the mobile device management server system administrator and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. The site mobile device management server administrator sends a wipe command to the CMD and then disables the user account on the management server or removes the CMD from the user account. -The site will contact the carrier to have the device deactivated on the carrier’s network. Check procedures: Interview the IAO. Review the site’s Incident Response Plan or other policies and determine if the site has a written plan of action. Mark as a finding if the site does not have a written plan of action following a lost or stolen CMD.

Fix: F-27603r2_fix

Publish procedures to follow if a mobile operating system (OS) based CMD is lost or stolen.

a
Required actions must be followed at the site when a CMD has been lost or stolen.
Low - V-24969 - SV-30706r4_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-007-02
Vuln IDs
  • V-24969
Rule IDs
  • SV-30706r4_rule
If procedures for lost or stolen CMDs are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-31133r2_chk

Interview the IAO. Determine if any site mobile devices were reported lost or stolen within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. Mark as a finding if the site had a lost or stolen mobile device within the previous 24 months and required procedures were not followed.

Fix: F-27592r3_fix

Follow required actions when a CMD is reported lost or stolen.

a
Mobile users must complete required training annually.
Low - V-28317 - SV-36045r4_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-006-02
Vuln IDs
  • V-28317
Rule IDs
  • SV-36045r4_rule
Users are the first line of security controls for CMD systems. They must be trained in using CMD security controls or the system could be vulnerable to attack. If training is not renewed on an annual basis, users may not be informed of new security procedures or may forget previously trained procedures, which could lead to an exposure of sensitive DoD information.Information Assurance OfficerPETN-1
Checks: C-35165r4_chk

This requirement applies to mobile operating system (OS) CMDs. All CMD users must receive required training annually. Mark as a finding if training records do not show users receiving required training at least annually.

Fix: F-30413r2_fix

Complete required training annually for all CMD users.

c
Smartphones and tablets classified as non-enterprise activated must not be connected to a DoD network.
High - V-30413 - SV-40118r1_rule
RMF Control
Severity
High
CCI
Version
WIR-SPP-012
Vuln IDs
  • V-30413
Rule IDs
  • SV-40118r1_rule
Some smartphones and tablets, including some models of Windows 7, Android, iOS, and BlackBerry smartphones and tablets, are not authorized to connect to DoD networks or to DoD PCs that will be connected to DoD networks, because they do not have required security controls. There is a high risk of introducing malware on a DoD network if these types of devices are connected to a DoD network.ECWN-1
Checks: C-39065r1_chk

Smartphones and tablets classified as non-enterprise activated are not authorized to connect to a DoD networks. Examples of unauthorized DoD network connections include: -Connecting the mobile device to a DoD network interface device (switch, router, Wi-Fi access point, etc.). Allowed exception: the device can be connected to a DoD managed Internet-Gateway-only connected Wi-Fi access point (AP) (see the Wireless STIG for more information). -Connecting the mobile device to a DoD PC that is authorized to connect to a DoD network. - Managing the mobile device from a DoD network connected Mobile Device Management (MDM) server. -Connecting the mobile device to a web server located on a DoD network, unless the server is available to the general public. -Connecting the mobile device to a DoD email system. Check Procedures: Interview the IAO and 2-3 users who are using mobile OS devices that are managed by the site, which are not authorized to connect to DoD networks. Verify written policy and training material exists (or requirement is listed on a signed user agreement) stating mobile OS devices must not be connected to a DoD network, unless authorized to do so. Verify users are aware of the requirement. Mark as a finding if written policy or training material does not exist or users are not aware of the requirement.

Fix: F-34176r1_fix

Do not connect smartphones and tablets classified as non-enterprise activated to DoD networks.

b
A written policy and training material must exist that states smartphones/tablets that are classified as non-enterprise activated must not be used to send, receive, store, or process sensitive/FOUO data and information.
Medium - V-30414 - SV-40119r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-SPP-013
Vuln IDs
  • V-30414
Rule IDs
  • SV-40119r1_rule
Some mobile devices, including some models of Windows 7, Android, iOS, and BlackBerry smartphones and tablets, are not authorized to store or process sensitive DoD data and information because they do not have required security controls to protect the data/information. There is a high risk sensitive data will be exposed to unauthorized personal with access to the device. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). ECWN-1
Checks: C-39066r1_chk

Mobile devices classified as non-enterprise activated are not authorized to send, receive, store, or process sensitive DoD information. Interview the IAO and 2-3 users who are using mobile devices that are managed by the site, which are not authorized to connect to DoD networks. Verify written policy and training material exists (or requirement is listed on a signed user agreement) stating mobile devices must not be used to send, receive, store, or process sensitive DoD data/information. Mark as a finding if written policy or training material does not exist or users are not aware of the requirement.

Fix: F-34177r1_fix

Develop a written policy and training material that states smartphones/tablets that are classified as non-enterprise activated must not be used to send, receive, store, or process sensitive/FOUO data and information.

b
A written policy and training material must exist that states smartphones/tablets classified as non-enterprise activated must not access DoD email systems.
Medium - V-30415 - SV-40120r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-SPP-014
Vuln IDs
  • V-30415
Rule IDs
  • SV-40120r1_rule
Some mobile devices, including some models of Windows 7, Android, iOS, and BlackBerry smartphones and tablets, are not authorized to connect to DoD email systems, because they do not have required security controls. There is a high risk of introducing malware on a DoD email system or compromising sensitive DoD data if these types of devices are connected to a DoD email system. There is a high risk sensitive data will be exposed to unauthorized personal with access to the device if DoD email was viewed, processed, or stored on the device.ECWN-1
Checks: C-39067r1_chk

Mobile devices classified as non-enterprise activated are not authorized to access DoD networks or store or process sensitive DoD information. Interview the IAO and 2-3 users who are using mobile OS devices that are managed by the site, which are not authorized to connect to DoD email systems. Verify written policy and training material exists (or requirement is listed on a signed user agreement) stating mobile devices must not be used to connect to a DoD email system. Mark as a finding if written policy or training material does not exist or users are not aware of the requirement.

Fix: F-34178r1_fix

Develop a written policy and training material that states smartphones/tablets classified as non-enterprise activated must not access DoD email systems.

a
The site must have a Personal Use Policy for site/Command managed or owned mobile devices (smartphones and tablets) approved by the site DAA.
Low - V-30416 - SV-40121r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-015
Vuln IDs
  • V-30416
Rule IDs
  • SV-40121r1_rule
Malware can be introduced on a DoD enclave via personally owned applications and personal web site accounts. In addition, sensitive DoD data could be exposed by the same malware. ECWN-1
Checks: C-39068r1_chk

Detailed Policy Requirements: The local site and/or Command must publish a Personal Use Policy for site/Command managed or owned mobile devices (smartphones and tablets). The policy will provide information on allowed personal use of site/Command mobile devices, including devices approved for the connection to DoD networks and processing of sensitive data and for devices not approved for the connection to DoD networks and processing of DoD data (for example, non-enterprise activated devices). The policy will be approved by the DAA based on a risk based assessment. The assessment will consider costs to the command that could result from additional wireless service charges from personal usage of the device. The policy will cover the following topics: -Installation of user owned and free commercial applications; -Viewing and/or downloading personal email; -Download of user owed data (music files, picture files, etc.); -Connections to user social media accounts; -The use of geo-location aware applications that save or transmit the location of the device. The use of geo-location aware applications should be based on an Operational Security (OPSEC) risk assessment. -Connecting DoD managed mobile devices to personally owned computers. (For example, a personally owned computer used to download personally owned files to the mobile device.) Check Procedures: Interview the IAO and determine if the site has a Personal Use Policy for site/Command managed or owned mobile devices (smartphones and tablets). Verify the policy has been signed or otherwise approved by the site DAA. Mark as a finding if a Personal Use Policy for site/Command managed or owned mobile devices (smartphones and tablets) does not exist or is not approved by the DAA.

Fix: F-34179r1_fix

Write a Personal Use Policy for site/Command managed or owned mobile devices (smartphones and tablets) and get DAA approval of the policy.