Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Mobile Device Policy Security Technical Implementation Guide (STIG)

  • Version/Release: V2R6
  • Published: 2019-05-21
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This STIG provides policy, training, and operating procedure security controls for the use of mobile devices and systems in the DoD environment. This STIG applies to any mobile operating system device used to store, process, transmit, or receive DoD information. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
c
All wireless/mobile systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) must be approved by the approval authority prior to installation and use for processing DoD information.
High - V-8283 - SV-8778r7_rule
RMF Control
Severity
High
CCI
Version
WIR0005
Vuln IDs
  • V-8283
Rule IDs
  • SV-8778r7_rule
Unauthorized wireless systems expose DoD networks to attack. The Authorizing Official (AO) and appropriate commanders must be aware of all wireless systems used at the site. AOs should ensure a risk assessment for each system, including associated services and peripherals, is conducted before approving. Accept risks only when needed to meet mission requirements.Information Assurance OfficerDesignated Approving AuthorityInformation Assurance Manager
Checks: C-3890r8_chk

1. Request copies of written AO approval documentation for wireless/mobile devices used by the site. 2. Verify AO approval for wireless/mobile devices in use at the site. Note: The AO approval for wireless/mobile systems does not need to be documented separately from other AO approval documents for the site network, as long as the approval documents list the wireless/mobile systems in use at the site. For example, if a site network ATO lists the wireless system, the ATO meets the requirements of this check. If the AO has not approved all wireless/mobile devices used at the site, this is a finding.

Fix: F-19194r4_fix

Obtain AO approval prior to wireless systems being installed and used.

c
Computers with an embedded wireless system must have the radio removed or otherwise physically disable the radio hardware before the computer is used to transfer, receive, store, or process classified information, unless the wireless system has been certified via the DoD Commercial Solutions for Classified (CSfC) program.
High - V-19813 - SV-21976r7_rule
RMF Control
Severity
High
CCI
Version
WIR0045
Vuln IDs
  • V-19813
Rule IDs
  • SV-21976r7_rule
With the increasing popularity of wireless networking, most laptops have wireless NICs (network interface cards) installed on the laptop motherboard. Although the system administrator may disable these embedded NICs, the user may purposefully or accidentally enable the device. These devices may also inadvertently transmit ambient sound or electronic signals. Therefore, simply disabling the transmit capability is an inadequate solution for computers processing classified information. In addition, embedded wireless cards do not meet DoD security requirements for classified wireless usage.System AdministratorInformation Assurance Officer
Checks: C-24829r8_chk

Interview the IAO and inspect a sample of laptops/PCs (check about 10% if possible, with priority to laptops) used at the site for classified data processing. 1. Ask if there are laptops/PCs used to process classified information that have embedded wireless NICs. No embedded wireless NICs are allowed, including WLAN, Bluetooth, WMAN, cellular, etc. unless the wireless radios have been physically disabled or the wireless system has been certified via the DoD CSfC program. 2. The NIC should be physically removed or physically disabled. Using methods such as tape or software disabling is not acceptable. Interview the ISSO and determine if the site either bought laptops without wireless NICs (Wi-Fi, Bluetooth, WiMax, etc.) or physically removed or disabled the NICs from laptops. Verify the site has procedures in place to ensure laptops with wireless NICs are not used for classified data processing unless the NICs have been physically disabled or the wireless system is CSfC certified. If laptops or other computers are used to process classified information and have a wireless NIC installed and the NIC is not physically disabled or the system is not CSfC certified, this is a finding. If this is a finding, recommend to the AO that this is a critical finding requiring immediate action

Fix: F-20496r5_fix

Ensure computers with embedded wireless NICs that cannot be removed and are not used to transfer, receive, store, or process classified information unless the NICs have been physically disabled or the wireless system is CSfC certified.

a
Site physical security policy must include a statement outlining whether mobile devices with digital cameras (still and video) are permitted or prohibited on or in this DoD facility.
Low - V-24953 - SV-30690r5_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-001
Vuln IDs
  • V-24953
Rule IDs
  • SV-30690r5_rule
Mobile devices with cameras are easily used to photograph sensitive information and areas if not addressed. Sites must establish, document, and train on how to mitigate this threat. System AdministratorSecurity Manager
Checks: C-31111r5_chk

This requirement applies to mobile operating system (OS) mobile devices. Work with traditional reviewer to review site’s physical security policy. Verify the policy addresses mobile devices CMDs with embedded cameras. If there is no written physical security policy outlining whether mobile devices with cameras are permitted or prohibited on or in this DoD facility, this is a finding.

Fix: F-27579r4_fix

Update the security documentation to include a statement outlining whether mobile devices with digital cameras (still and video) are allowed in the facility.

b
Publish data spill procedures for mobile devices
Medium - V-24955 - SV-30692r6_rule
RMF Control
Severity
Medium
CCI
Version
WIR-SPP-003-01
Vuln IDs
  • V-24955
Rule IDs
  • SV-30692r6_rule
When a data spill occurs on a mobile device, classified or sensitive data must be protected to prevent disclosure. After a data spill, the mobile device must either be wiped using approved procedures, or destroyed if no procedures are available, so classified or sensitive data is not exposed. If a data spill procedure is not published, the site may not use approved procedures to remediate after a data spill occurs and classified data could be exposed.Other
Checks: C-31114r11_chk

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) mobile devices. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). In accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or “data spill” occurs when a classified email is inadvertently sent on an unclassified network and received on a wireless email device. Classified information may also be transmitted through some other form of file transfer to include web browser downloads and files transferred through tethered connections. Mobile devices are not authorized for processing classified data. A data spill also occurs if a classified document is attached to an otherwise unclassified email. A data spill will only occur if the classified attached document is viewed or opened by the mobile device user since the mobile device system only downloads an attachment on the mobile device if the user views or opens the attachment. The site's Incident Handling and Response procedures should reference NSA/CSS Storage Device Declassification Manual 9-12, Section 5, for smartphone destruction procedures. Check Procedures: Interview the ISSO. Verify classified incident handling, response, and reporting procedures are documented in site mobile device procedures or security policies. If classified incident handling, response, and reporting procedures are not documented in site mobile device procedures or security policies, this is a finding. This requirement applies at both sites where mobile devices are issued and managed and at sites where the mobile device management server is located. - At the mobile device management server site, verify Incident Handling and Response procedures include actions to sanitize the mobile device management server and email servers (e.g., Exchange, Oracle mail). - At mobile device sites, verify Incident Handling and Response procedures include actions for incident reporting and actions to safeguard classified smartphone devices. The following actions will be followed for all mobile devices involved in a data spill: If Incident Handling and Response procedures do not include required information, this is a finding.

Fix: F-27582r3_fix

Publish a Classified Message Incident (CMI) procedure or policy for the site.

c
If a data spill (Classified Message Incident (CMI)) occurs on a mobile device, the site must follow required data spill procedures.
High - V-24957 - SV-30694r6_rule
RMF Control
Severity
High
CCI
Version
WIR-SPP-003-02
Vuln IDs
  • V-24957
Rule IDs
  • SV-30694r6_rule
If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel.System Administrator
Checks: C-31115r9_chk

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) mobile devices. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). If a data spill occurs on a mobile device, the following actions must be completed: - The mobile device management server and email servers (i.e., Exchange, Oracle mail, etc.) are handled as classified systems until they are sanitized according to appropriate procedures. (See NSA/CSS Storage Device Declassification Manual 9-12 for sanitization procedures.) - The mobile device is handled as a classified device and destroyed according to DoD guidance for destroying classified equipment or sanitized as directed in Check WIR-SPP-003-01. Check Procedures: Interview the ISSO. Determine if the site has had a data spill within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. If the site had a data spill within the previous 24 months and required procedures were not followed, this is a finding.

Fix: F-27583r4_fix

Follow required procedures after a data spill occurs.

a
Required procedures must be followed for the disposal of mobile devices.
Low - V-24958 - SV-30695r7_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-004
Vuln IDs
  • V-24958
Rule IDs
  • SV-30695r7_rule
If appropriate procedures are not followed prior to disposal of a mobile device, an adversary may be able to obtain sensitive DoD information or learn aspects of the configuration of the device that might facilitate a subsequent attack.System Administrator
Checks: C-31118r9_chk

This requirement applies to mobile operating system (OS) mobile devices. Prior to disposing of a mobile device (for example, if a mobile device is transferred to another DoD or government agency), follow the disposal procedures found in the mobile operating system STIG Supplemental document. Interview the ISSO. Verify proper procedures are being followed and the procedures are documented. Check to see how retired, discarded, or transitioned mobile devices were disposed of during the previous 6 – 12 months and verify compliance with requirements. If procedures are not documented or if documented, they were not followed, this is a finding.

Fix: F-27586r4_fix

Follow required procedures prior to disposing of a mobile device or transitioning it to another user.

c
Mobile operating system (OS) based mobile devices and systems must not be used to send, receive, store, or process classified messages unless specifically approved by NSA for such purposes and NSA approved transmission and storage methods are used.
High - V-24960 - SV-30697r6_rule
RMF Control
Severity
High
CCI
Version
WIR-SPP-005
Vuln IDs
  • V-24960
Rule IDs
  • SV-30697r6_rule
DoDD 8100.2 states wireless devices will not be used for classified data unless approved for such use. Classified data could be exposed to unauthorized personnel.System Administrator
Checks: C-31119r8_chk

Interview the ISSO. Verify written policy and training material exists (or requirement is listed on a signed user agreement) stating if and when mobile devices can be used to transmit classified information. If written policy or training material does not exist, stating if and when mobile devices can be used to receive, transmit, or process classified information, this is a finding.

Fix: F-27587r6_fix

Publish written policy or training material stating if and when mobile devices can be used to process, send, or receive classified information.

a
Mobile device users must complete training on required content before being provided mobile devices or allowed access to DoD networks with a mobile device.
Low - V-24961 - SV-30698r7_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-006-01
Vuln IDs
  • V-24961
Rule IDs
  • SV-30698r7_rule
Users are the first line of security controls for CMD systems. They must be trained in using CMD security controls or the system could be vulnerable to attack.System Administrator
Checks: C-31120r21_chk

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. All mobile device users must receive required training on the following topics before they are provided a mobile device or allowed access to DoD networks with a mobile device. a. Requirement that personally-owned mobile devices are not used to transmit, receive, store, or process DoD information unless approved by the AO and the owner signs forfeiture agreement in case of a security incident. b. Procedures for mobile device usage in and around classified processing areas. c. Requirement that mobile devices with digital cameras (still and video) are not allowed in any SCIF or other areas where classified documents or information is stored, transmitted, or processed. d. Procedures for a data spill. e. Requirement that Over-The-Air (OTA) mobile device software updates should only come from DoD-approved sources. f. When Wi-Fi is used, the following training will be completed: - Procedures for setting up a secure Wi-Fi connection and verifying the active connection is to a known access point. - Approved connection options (i.e., enterprise, home, etc.). - Requirements for home Wi-Fi connections. - The mobile device Wi-Fi radio will be disabled by the user whenever a Wi-Fi connection is not being used. g. Do not discuss FOUO or classified information on non-secure (devices whose cryptographic modules protecting data in transit are not FIPS 140-2 certified or NSA Type-1 certified for voice) cellular phones, cordless phones, and two-way radios used for voice communications. h. Do not connect mobile devices to any workstation. i. The installation of user owned applications, including geo-location aware applications, on the mobile device will be based on the Command’s Mobile Device Personal Use Policy and AO approval. j. The use of the mobile OS device to view and/or download personal email will be based the Command’s Mobile Device Personal Use Policy and AO approval. k. The download of user owned data (music files, picture files, etc.) on the mobile device will be based the Command’s Mobile Device Personal Use Policy and AO approval. l. All radios on the mobile device (Wi-Fi, Bluetooth, near-field communications (NFC)) must be turned off when not needed. This does not apply to radios supporting voice and data communication over a wireless carrier’s cellular network, in which case continuous connectivity is permissible. m. Procedure on how to disable Location Services on the device. Location Services must be disabled for all applications or enabled only for applications approved by the AO for location based services. Note: Listing training requirements in the User Agreement is an acceptable procedure for informing/training users on many of the required training topics. Check Procedures: - Review site mobile device training material to see if it contains the required content. Note: Some training content may be listed in the User Agreement signed by the user. - Verify site training records show that mobile device users received required training and training occurred before the user was issued a mobile device. Check training records for approximately five users, picked at random. If training material does not contain required content, this is a finding.

Fix: F-27591r4_fix

Have all mobile device users complete training on required content.

a
The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen.
Low - V-24962 - SV-30699r7_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-007-01
Vuln IDs
  • V-24962
Rule IDs
  • SV-30699r7_rule
Sensitive DoD data could be stored in memory on a DoD operated mobile operating system (OS) based mobile device and the data could be compromised if required actions are not followed when a mobile device is lost or stolen. Without procedures for lost or stolen mobile operating system (OS) based mobile devices, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.System Administrator
Checks: C-31122r10_chk

Detailed Policy Requirements: The site (location where mobile devices are issued and managed and the site where the mobile operating system (OS) based mobile device management server is located) must publish procedures to follow if a mobile device has been lost or stolen. The procedures should include (as appropriate): - Mobile device user notifies ISSO, SM, and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. - The ISSO notifies the mobile device management server system administrator and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. The site mobile device management server administrator sends a wipe command to the mobile device and then disables the user account on the management server or removes the mobile device from the user account. - The site will contact the carrier to have the device deactivated on the carrier’s network. Check procedures: Interview the ISSO. Review the site’s Incident Response Plan or other policies to determine if the site has a written plan of action. If the site does not have a written plan of action following a lost or stolen mobile device, this is a finding.

Fix: F-27603r3_fix

Publish procedures to follow if a mobile operating system (OS) based mobile device is lost or stolen.

a
The mobile device system administrator must perform a wipe command on all new or reissued mobile devices and a STIG-compliant IT policy will be pushed to the device before issuing it to DoD personnel.
Low - V-24963 - SV-30700r6_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-008-01
Vuln IDs
  • V-24963
Rule IDs
  • SV-30700r6_rule
Malware can be installed on the device at some point between shipping from the factory and delivery to DoD. The malware could result in the compromise of sensitive DoD information or result in the introduction of malware within the DoD network.System Administrator
Checks: C-31126r8_chk

Detailed Policy Requirements: The mobile device system administrator must perform a wipe command on all new or reissued mobile devices, reload system software, and load a STIG-compliant security policy on the mobile device before issuing it to DoD personnel and placing the device on a DoD network. The intent is to return the device to the factory state before the DoD software baseline is installed. When wireless over-the-air (OTA) activation is performed, the activation password is passed to the user in a secure manner (e.g., activation password is encrypted and emailed to an individual). Check Procedures: Interview the ISSO. Verify required procedures are followed. If required procedures were not followed, this is a finding.

Fix: F-27597r4_fix

Perform a wipe command on all new or reissued mobile devices.

a
Mobile device software updates must only originate from approved DoD sources.
Low - V-24964 - SV-30701r5_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-008-02
Vuln IDs
  • V-24964
Rule IDs
  • SV-30701r5_rule
Users must not accept Over-The-Air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and approved by the ISSO. Unauthorized/unapproved software updates could include malware or cause a degradation of the security posture of the mobile device and DoD network infrastructure. All software updates should be reviewed and/or tested by the mobile device system administrator and originate from a DoD source or DoD-approved source. Mobile device software updates should be pushed from the mobile device management (MDM) server, when this feature is available.System Administrator
Checks: C-31127r10_chk

Detailed Policy Requirements: Software updates must come from either DoD sources or DoD-approved sources. Mobile device system administrators should push OTA software updates from the MDM server, when this feature is available. Otherwise the site administrator should verify the non-DoD source of the update has been approved by IT management. Check Procedures: Interview the ISSO and MDM server system administrator. -Verify the site mobile device handheld and MDM server administrators are aware of the requirements. -Determine what procedures are used at the site for installing software updates on site-managed mobile devices. If the site does not have procedures in place, so users can down-load software updates from a DoD source or DoD-approved source, this is a finding.

Fix: F-27598r5_fix

Ensure mobile device software updates originate from DoD sources or approved non-DoD sources only. Users do not accept Over-The-Air (OTA) wireless software updates from non-approved sources.

a
Required actions must be followed at the site when a mobile device has been lost or stolen.
Low - V-24969 - SV-30706r6_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-007-02
Vuln IDs
  • V-24969
Rule IDs
  • SV-30706r6_rule
If procedures for lost or stolen mobile devices are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.System Administrator
Checks: C-31133r5_chk

Interview the ISSO. Determine if any site mobile devices were reported lost or stolen within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. If the site had a lost or stolen mobile device within the previous 24 months and required procedures were not followed, this is a finding.

Fix: F-27592r4_fix

Follow required actions when a mobile device is reported lost or stolen.

a
Mobile users must complete required training annually.
Low - V-28317 - SV-36045r6_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-006-02
Vuln IDs
  • V-28317
Rule IDs
  • SV-36045r6_rule
Users are the first line of security controls for mobile device systems. They must be trained in using mobile device security controls or the system could be vulnerable to attack. If training is not renewed on an annual basis, users may not be informed of new security procedures or may forget previously trained procedures, which could lead to an exposure of sensitive DoD information.System Administrator
Checks: C-35165r8_chk

This requirement applies to mobile operating system (OS) mobile devices. All mobile device users must receive required training annually. If training records do not show users receiving required training at least annually, this is a finding.

Fix: F-30413r3_fix

Complete required training annually for all mobile device users.

c
A security risk analysis must be performed on a mobile application by the Authorizing Official (AO) or AO-authorized authority prior to the application being approved for use.
High - V-32677 - SV-43023r5_rule
RMF Control
Severity
High
CCI
Version
WIR-SPP-021
Vuln IDs
  • V-32677
Rule IDs
  • SV-43023r5_rule
Non-approved applications can contain malware. Approved applications should be reviewed and tested by the AO to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, and connect to a non-DoD management server). System Administrator
Checks: C-41050r10_chk

Detailed Requirements: Core applications are applications included in the mobile device operating system. Applications added by the device vendor and wireless carrier are not considered core applications. A security risk analysis must be performed by the AO or AO-approved approval authority prior to a mobile application being approved for use. - The application review and approval process must include an evaluation of what OS level permissions are required by the application and how the application shares data and memory space with other applications. The review process must also ensure approved applications do not contain malware or share data stored on the mobile OS device with non-DoD servers. Check Procedures: Ask the site for documentation showing what security risk analysis procedures are used by the AO prior to approving non-core applications for use. Determine if the procedures include an evaluation of the following: - What OS level permissions are required by the application? - The application does not contain malware. - The application does not share data stored on the CMDs with non-DoD servers. - If the application stores sensitive data, the application data storage container uses FIPS 140-2 validated cryptographic module. If a security review was not conducted on approved applications or the application security risk review procedures do not contain the required risk assessment evaluation tasks, this is a finding.

Fix: F-36582r3_fix

Have AO or Command IT CCB use the required procedures to review mobile applications prior to approving them.

b
Personally owned or contractor owned mobile devices must not be used to transmit, receive, store, or process DoD information or connect to DoD networks.
Medium - V-94847 - SV-104677r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR0010-01
Vuln IDs
  • V-94847
Rule IDs
  • SV-104677r1_rule
The use of unauthorized personally-owned CMDs to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized people. The DoD CIO currently prohibits the use of personally owned or contractor owned mobile devices (Bring Your Own Device – BYOD).
Checks: C-94043r1_chk

Interview the site IAM and IAO and determine if personally owned or contractor owned CMDs (Bring Your Own Device – BYOD) are used at the site to transmit, receive, store, or process DoD information or connect to DoD networks. Mark as a finding if personally owned or contractor owned CMDs (Bring Your Own Device – BYOD) are used to transmit, receive, store, or process DoD information or connect to DoD networks.

Fix: F-100971r1_fix

Prohibit use of personally owned or contractor owned mobile devices (Bring Your Own Device – BYOD) at the site to transmit, receive, store, or process DoD information or connect to DoD networks.

a
All users of mobile devices or wireless devices must sign a user agreement before the mobile or wireless device is issued to the user and the user agreement used at the site must include required content.
Low - V-94849 - SV-104679r1_rule
RMF Control
Severity
Low
CCI
Version
WIR0030
Vuln IDs
  • V-94849
Rule IDs
  • SV-104679r1_rule
Lack of user training and understanding of responsibilities to safeguard wireless technology is a significant vulnerability to the enclave. Once policies are established, users must be trained to these requirements or the risk to the network remains. User agreements are particularly important for mobile and remote users since there is a high risk of loss, theft, or compromise. Thus, this signed agreement is a good best practice to help ensure the site is confirming the user is aware of the risks and proper procedures.
Checks: C-94045r1_chk

Additional Policy Requirements: The user agreements must include Authorizing Official (AO) authorized tasks for the mobile device and relevant security requirements, including, but not limited to, the following: 1. DoD CIO Memorandum, “Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement,” 09 May 2008 directs the following content will be included in a site User Agreement: STANDARD MANDATORY NOTICE AND CONSENT PROVISION FOR ALL DOD INFORMATION SYSTEM USER AGREEMENTS By signing this document, you acknowledge and consent that when you access Department of Defense (DoD) information systems: - You are accessing a U.S. Government (USG) information system (IS) (which includes any device attached to this information system) that is provided for U.S. Government authorized use only. - You consent to the following conditions: o The U.S. Government routinely intercepts and monitors communications on this information system for purposes including, but not limited to, penetration testing, communications security (COMSEC) monitoring, network operations and defense, personal misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. o At any time, the U.S. Government may inspect and seize data stored on this information system. o Communications using, or data stored on, this information system are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any U.S. Government-authorized purpose. o This information system includes security measures (e.g., authentication and access controls) to protect U.S. Government interests--not for your personal benefit or privacy. o Notwithstanding the above, using an information system does not constitute consent to personnel misconduct, law enforcement, or counterintelligence investigative searching or monitoring of the content of privileged communications or data (including work product) that are related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Under these circumstances, such communications and work product are private and confidential, as further explained below: - Nothing in this User Agreement shall be interpreted to limit the user's consent to, or in any other way restrict or affect, any U.S. Government actions for purposes of network administration, operation, protection, or defense, or for communications security. This includes all communications and data on an information system, regardless of any applicable privilege or confidentiality. - The user consents to interception/capture and seizure of ALL communications and data for any authorized purpose (including personal misconduct, law enforcement, or counterintelligence investigation). However, consent to interception/capture or seizure of communications and data is not consent to the use of privileged communications or data for personnel misconduct, law enforcement, or counterintelligence investigation against any party and does not negate any applicable privilege or confidentiality that otherwise applies. - Whether any particular communication or data qualifies for the protection of a privilege, or is covered by a duty of confidentiality, is determined in accordance with established legal standards and DoD policy. Users are strongly encouraged to seek personal legal counsel on such matters prior to using an information system if the user intends to rely on the protections of a privilege or confidentiality. - Users should take reasonable steps to identify such communications or data that the user asserts are protected by any such privilege or confidentiality. However, the user's identification or assertion of a privilege or confidentiality is not sufficient to create such protection where none exists under established legal standards and DoD policy. - A user's failure to take reasonable steps to identify such communications or data as privileged or confidential does not waive the privilege or confidentiality if such protections otherwise exist under established legal standards and DoD policy. However, in such cases the U.S. Government is authorized to take reasonable actions to identify such communication or data as being subject to a privilege or confidentiality, and such actions do not negate any applicable privilege or confidentiality. - These conditions preserve the confidentiality of the communication or data, and the legal protections regarding the use and disclosure of privileged information, and thus such communications and data are private and confidential. Further, the U.S. Government shall take all reasonable measures to protect the content of captured/seized privileged communications and data to ensure they are appropriately protected. o In cases when the user has consented to content searching or monitoring of communications or data for personnel misconduct, law enforcement, or counterintelligence investigative searching, (i.e., for all communications and data other than privileged communications or data that are related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants), the U.S. Government may, solely at its discretion and in accordance with DoD policy, elect to apply a privilege or other restriction on the U.S. Government's otherwise-authorized use or disclosure of such information. o All of the above conditions apply regardless of whether the access or use of an information system includes the display of a Notice and Consent Banner ("banner"). When a banner is used, the banner functions to remind the user of the conditions that are set forth in this User Agreement, regardless of whether the banner describes these conditions in full detail or provides a summary of such conditions, and regardless of whether the banner expressly references this User Agreement. 2. DoD sites are required to add the following to all site User Agreements: - The agreement should contain the type of access required by the user (privileged, end-user, etc.). - The agreement should contain the responsibilities, liabilities, and security measures (e.g., malicious code detection training) involved in the use of the wireless remote access device. - Incident handling and reporting procedures will be identified along with a designated point of contact. - The remote user can be held responsible for damage caused to a Government system or data through negligence or a willful act. - The policy should contain general security requirements and practices, which are acknowledged and signed by the remote user. - If classified devices are used for remote access from an alternative work site, the remote user will adhere to DoD policy in regard to facility clearances, protection, storage, distributing, etc. - Government owned hardware and software is used for official duties only. The employee is the only individual authorized to use this equipment. - User agrees to complete required wireless device training annually. Check Procedures: 1. Inspect a copy of the site’s user agreement. 2. Verify the user agreement has the minimum elements described in the STIG policy. 3. Select 10 names of assigned site personnel and verify they have a signed user agreement on file for assigned wireless equipment (e.g., wireless laptop, smartphone, tablet, etc.). If site user agreements do not exist or are not compliant with the minimum requirements, this is a finding.

Fix: F-100973r1_fix

Implement User Agreement with required content. Have all users sign a User Agreement.

b
Unclassified wireless devices must not be operated in Secure Spaces (as defined in DoDI 8420.01) unless required conditions are followed.
Medium - V-94851 - SV-104681r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR0040
Vuln IDs
  • V-94851
Rule IDs
  • SV-104681r1_rule
The operation of electronic equipment and emanations must be controlled in and around areas where sensitive information is kept or processed. Sites should post signs and train users to this requirement to mitigate this vulnerability.
Checks: C-94047r1_chk

Detailed Policy Requirements: Note: This requirement does not apply to NSA-approved classified WLAN systems or SCIFs The ISSO will ensure wireless devices are not operated in areas where classified information is electronically stored, processed, or transmitted unless: - Approved by the Authorizing Official (AO) in consultation with the Certified TEMPEST Technical Authority (CTTA). - The wireless equipment is separated from the classified data equipment at the minimum distance determined by the CTTA and appropriate countermeasures, as determined by the CTTA, are implemented. Check Procedures: Review documentation. Work with the traditional security reviewer to verify the following: 1. If classified information is not processed at this site, mark as not a finding. 2. If the site has a written procedure prohibiting the use of wireless devices in areas where classified data processing occurs, mark as not a finding. Ask for documentation showing the CTTA was consulted about operation and placement of wireless devices. Acceptable proof would be the signature or initials of the CTTA on the architecture diagram or other evidence of coordination. IAW DoD policy, the CTTA must have a written separation policy for each classified area. 3. Review written policies, training material, or user agreements to see if wireless usage in these areas is addressed. 4. Verify proper procedures for wireless device use in classified areas is addressed in training program. If wireless devices are used in or around classified processing areas but the CTTA has not designated a separation distance in writing, the AO has not coordinated with the CTTA, or users are not trained or made aware (using signage or user agreement) of procedures for wireless device usage in and around classified processing areas, this is a finding.

Fix: F-100975r1_fix

Have the Certified TEMPEST Technical Authority (CTTA) designate a separation distance between wireless devices and classified data-processing equipment in writing. AO must coordinate with the CTTA. Train users or get a signed user agreement on procedures for wireless device usage in and around classified processing areas.