Commercial Mobile Device (CMD) Policy V2R3

a

Site physical security policy must include a statement outlining whether CMDs with digital cameras (still and video) are permitted or prohibited on or in this DoD facility.

Low - V-24953 - SV-30690r3_rule

RMF Control

Severity

L

CCI

Version

WIR-SPP-001

Vuln IDs

V-24953

Rule IDs

SV-30690r3_rule

Mobile devices with cameras are easily used to photograph sensitive information and areas if not addressed. Sites must establish, document, and train on how to mitigate this threat. Information Assurance OfficerSecurity ManagerECWN-1

Checks: C-31111r3_chk

This requirement applies to mobile operating system (OS) CMDs. Work with traditional reviewer to review site’s physical security policy. Verify the site addresses CMDs with embedded cameras. - Mark this as a finding if there is no written physical security policy outlining whether CMDs with cameras are permitted or prohibited on or in this DoD facility.

Fix: F-27579r3_fix

Update the security documentation to include a statement outlining whether CMDs with digital cameras (still and video) are allowed in the facility.

b

A data spill (Classified Message Incident (CMI)) procedure or policy must be published for site CMDs.

Medium - V-24955 - SV-30692r4_rule

RMF Control

Severity

M

CCI

Version

WIR-SPP-003-01

Vuln IDs

V-24955

Rule IDs

SV-30692r4_rule

When a data spill occurs on a CMD, classified or sensitive data must be protected to prevent disclosure. After a data spill, the CMD must either be wiped using approved procedures, or destroyed if no procedures are available, so classified or sensitive data is not exposed. If a data spill procedure is not published, the site may not use approved procedures to remediate after a data spill occurs and classified data could be exposed.Information Assurance OfficerVIIR-1, VIIR-2

Checks: C-31114r4_chk

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). In accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or “data spill” occurs when a classified email is inadvertently sent on an unclassified network and received on a wireless email device. Classified information may also be transmitted through some other form of file transfer to include web browser downloads and files transferred through tethered connections. CMDs are not authorized for processing classified data. A data spill also occurs if a classified document is attached to an otherwise unclassified email. For BlackBerry and Good Mobile Messaging systems, a data spill will only occur if the classified attached document is viewed or opened by the CMD user since the CMD system only downloads an attachment on the CMD if the user views or opens the attachment. The site's Incident Handling and Response procedures should reference NSA/CSS Storage Device Declassification Manual 9-12, Section 5, for smartphone destruction procedures. Check Procedures: Interview the IAO. Verify classified incident handling, response, and reporting procedures are documented in site CMD procedures or security policies. Mark as a finding if classified incident handling, response, and reporting procedures are not documented in site CMD procedures or security policies. This requirement applies at both sites where CMDs are issued and managed and at sites where the CMD management server is located. ---At the CMD management server site, verify Incident Handling and Response procedures include actions to sanitize the CMD management server and email servers (e.g., Exchange, Oracle mail). ---At CMD sites, verify Incident Handling and Response procedures include actions for incident reporting and actions to safeguard classified smartphone devices. The following actions will be followed for all CMDs involved in a data spill: -BlackBerry CMDs: follow procedures in the DoD Data Spill Procedures Guide for BlackBerry Smartphones located at http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html. -Windows Mobile, Android, and iOS CMDs: the CMD will be destroyed. Mark as a finding if Incident Handling and Response procedures do not include required information.

Fix: F-27582r3_fix

Publish a Classified Message Incident (CMI) procedure or policy for the site.

c

If a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site must follow required data spill procedures.

High - V-24957 - SV-30694r3_rule

RMF Control

Severity

H

CCI

Version

WIR-SPP-003-02

Vuln IDs

V-24957

Rule IDs

SV-30694r3_rule

If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel.System AdministratorInformation Assurance OfficerVIIR-1, VIIR-2

Checks: C-31115r3_chk

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). If a data spill occurs on a CMD, the following actions must be completed: - The CMD management server and email servers (i.e., Exchange, Oracle mail, etc.) are handled as classified systems until they are sanitized according to appropriate procedures. (See NSA/CSS Storage Device Declassification Manual 9-12 for sanitization procedures.) - The CMD is handled as a classified device and destroyed according to DoD guidance for destroying classified equipment or sanitized as directed in Check WIR-SPP-003-01. Check Procedures: Interview the IAO. Determine if the site has had a data spill within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. Mark as a finding if the site had a data spill within the previous 24 months and required procedures were not followed.

Fix: F-27583r4_fix

Follow required procedures after a data spill occurs.

a

Required procedures must be followed for the disposal of CMDs.

Low - V-24958 - SV-30695r4_rule

RMF Control

Severity

L

CCI

Version

WIR-SPP-004

Vuln IDs

V-24958

Rule IDs

SV-30695r4_rule

If appropriate procedures are not followed prior to disposal of a CMD, an adversary may be able to obtain sensitive DoD information or learn aspects of the configuration of the device that might facilitate a subsequent attack.System AdministratorInformation Assurance OfficerECSC-1, PECS-1

Checks: C-31118r5_chk

This requirement applies to mobile operating system (OS) CMDs. Prior to disposing of a CMD (for example, if a CMD is transferred to another DoD or government agency), follow the disposal procedures found in the STIG Technology Overview document of the STIG for the CMD of interest. For example, look in the BlackBerry Overview document in the BlackBerry STIG for the disposal procedures for a BlackBerry smartphone. Interview the IAO. Verify proper procedures are being followed and the procedures are documented. Check to see how retired, discarded, or transitioned CMDs were disposed of during the previous 6 – 12 months and verify compliance with requirements. Mark as a finding if procedures are not documented or if documented, they were not followed.

Fix: F-27586r3_fix

Follow required procedures prior to disposing of a CMD or transitioning it to another user.

c

Mobile operating system (OS) based CMDs and systems must not be used to send, receive, store, or process classified messages unless specifically approved by NSA for such purposes and NSA approved transmission and storage methods are used.

High - V-24960 - SV-30697r3_rule

RMF Control

Severity

H

CCI

Version

WIR-SPP-005

Vuln IDs

V-24960

Rule IDs

SV-30697r3_rule

DoDD 8100.2 states wireless devices will not be used for classified data unless approved for such use. Classified data could be exposed to unauthorized personnel.Information Assurance OfficerECWN-1

Checks: C-31119r4_chk

Interview the IAO. Verify written policy and training material exists (or requirement is listed on a signed user agreement) stating CMDs must not be used to transmit classified information unless approved for use. Mark as a finding if written policy or training material does not exist, stating CMDs must not be used to receive, transmit, or process classified information.

Fix: F-27587r4_fix

Publish written policy or training material stating CMDs must not process, send, or receive classified information unless approved for use.

a

Mobile device users must complete training on required content before being provided mobile devices or allowed access to DoD networks with a mobile device.

Low - V-24961 - SV-30698r4_rule

RMF Control

Severity

L

CCI

Version

WIR-SPP-006-01

Vuln IDs

V-24961

Rule IDs

SV-30698r4_rule

Users are the first line of security controls for CMD systems. They must be trained in using CMD security controls or the system could be vulnerable to attack.System AdministratorInformation Assurance OfficerPETN-1

Checks: C-31120r13_chk

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) CMDs. All mobile device users must receive required training on the following topics before they are provided a mobile device or allowed access to DoD networks with a mobile device. Training is divided into two groups: Group A (general topics) and Group B (device specific topics). DISA’s Smartphones and Tablets security course satisfies the requirement for Group A training topics. The course is located at: http://iase.disa.mil/eta/smartphone_tablet_v1/launchpage.htm. Group A – General Topics a. Requirement that personally-owned PEDs are not used to transmit, receive, store, or process DoD information unless approved by the DAA and the owner signs forfeiture agreement in case of a security incident. b. Procedures for wireless device usage in and around classified processing areas. c. Requirement that PEDs with digital cameras (still and video) are not allowed in any SCIF or other areas where classified documents or information is stored, transmitted, or processed. d. Procedures for a data spill. e. Requirement that wireless email devices and systems are not used to send, receive, store, or process classified messages (does not apply to the SME PED). f. Requirement that CMDs and systems will not be connected to classified DoD networks or information systems. g. Requirement that a user immediately notify appropriate site contacts (i.e., IAO, CMD management server administrator, supervisor, etc.) when his/her CMD has been lost or stolen. h. Secure Bluetooth Smart Card Reader (SCR) usage: --Secure pairing procedures. --Perform secure pairing immediately after the SCR is reset. --Accept only Bluetooth connection requests from devices they control. --Monitor Bluetooth connection requests and activity in order to detect possible attacks and unauthorized activity. i. Procedures on how to sign and encrypt email. j. If Short Message Service (SMS) and/or Multi-media Messaging Service (MMS) are used, IA awareness training material should include SMS/MMS security issues. k. Requirement that Over-The-Air (OTA) wireless software updates should only come from DoD approved sources. l. When CMD Wi-Fi Service is used, the following training will be completed: --Procedures for setting up a secure Wi-Fi connection and verifying the active connection is to a known access point. --Approved connection options (i.e., enterprise, home, etc.). --Requirements for home Wi-Fi connections. --The Wi-Fi radio will be disabled by the user whenever a Wi-Fi connection is not being used. --The Wi-Fi radio must never be enabled while the CMD is connected to a PC. m. Do not discuss sensitive or classified information on non-secure (devices not FIPS 140-2 certified or NSA Type-1 certified for voice) cellular phones, cordless phones, and two-way radios used for voice communications. n. Do not connect PDAs, smartphones, and tablets to any workstation that stores, processes, or transmits classified data. (Exception: SME PED). o. The installation of user owned applications, including geo-location aware applications, on the mobile device will be based on the Command’s Mobile Device Personal Use Policy. p. The use of the mobile OS device to view and/or download personal email will be based the Command’s Mobile Device Personal Use Policy. q. The download of user owned data (music files, picture files, etc.) on the mobile device will be based the Command’s Mobile Device Personal Use Policy. r. The use of the mobile device to connect to user social media web accounts will be based the Command’s Mobile Device Personal Use Policy. s. When the Bluetooth radio is authorized for use with an approved smartcard reader or handsfree headset, the user will disable the Bluetooth radio whenever a Bluetooth connection is not being used. t. All radios on the mobile device (Wi-Fi, Bluetooth, near-field communications (NFC)) must be turned off when not needed. u. Procedure on how to disable Location Services on the device. Location Services must be disabled for all applications or enabled only for applications approved by the DAA for location based services. Group B – Device Specific Topics Additional BlackBerry requirements: a. If the use of the BlackBerry Keeper is approved by the DAA, users are trained on password configuration and change requirements. --Passwords must be changed at least every 90 days. b. When SCR is used with a PC, users with PC administrative rights will not disable the RIM Bluetooth Lockdown tool on the PC. c. When using an approved Bluetooth headset or handsfree device the following procedures will be followed: -The user will pair only an approved device to the BlackBerry handheld. -If the user receives a request for Bluetooth pairing on their BlackBerry handheld from a Bluetooth device other than their smart card reader (CAC reader) or headset, the request will not be accepted by the user. -Pairing of a Bluetooth headset with the BlackBerry handheld will be completed in a non-public area whenever possible. Additional iOS device (iPhone and iPad) requirements: a. Procedure on how to disable the device Bluetooth radio when not being used. b. Procedure on how to disable the device Wi-Fi radio when not being used. c. Procedure to disable "Ask to Join Networks" Wi-Fi feature. This feature must be disabled at all times. d. iMessage should be considered an unsecure messaging application, similar to cellular SMS. Sensitive information should not be sent via iMessage. e. Procedure for not allowing applications access to PIM date (calendar, address book, etc.) when prompted during application install. The only allowed exception is for the secure email application (for example, the Good application). f. Procedure for not allowing applications access to iOS device Personal Information Manager (PIM) data (calendar, contacts, notes, etc.) when prompted during application installation. The only allowed exception is for the DoD email application (for example, the Good Technology app). Additional Android requirements: a. Procedure on how to disable the device Bluetooth radio when not being used. b. Procedure on how to disable the device Wi-Fi radio when not being used. Additional training requirements for mobile device not authorized to connect to a DoD network or store/process sensitive DoD information (Non-Enterprise activated). a. Mobile Device (Non-Enterprise Activated) must not be connected to a DoD wired or wireless network. Allowed exception: the device can be connected to a DoD managed Internet-Gateway-only connected Wi-Fi access point (AP). b. Mobile Device (Non-Enterprise Activated) must not have sensitive or classified data stored or processed on the device. c. Mobile Device (Non-Enterprise Activated) must not be used to connect to a DoD email system. d. The user will read and be familiar with the local site and/or Command must publish a Personal Use Policy for site/Command managed or owned CMDs. Additional BlackBerry Playbook Tablet requirements: When using BlackBerry Bridge, the user will not attach files saved on the Playbook to email messages sent on the BlackBerry smartphone. Note: Listing training requirements in the User Agreement is an acceptable procedure for informing/training users on many of the required training topics. Check Procedures: - Review site CMD training material to see if it contains the required content. Note: Some training content may be listed in the User Agreement signed by the user. - Verify site training records show that CMD users received required training and training occurred before the user was issued a CMD. Check training records for approximately five users, picked at random. Mark as a finding if training material does not contain required content.

Fix: F-27591r4_fix

Have all mobile device users complete training on required content.

a

The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen.

Low - V-24962 - SV-30699r4_rule

RMF Control

Severity

L

CCI

Version

WIR-SPP-007-01

Vuln IDs

V-24962

Rule IDs

SV-30699r4_rule

Sensitive DoD data could be stored in memory on a DoD operated mobile operating system (OS) based CMD and the data could be compromised if required actions are not followed when a CMD is lost or stolen. Without procedures for lost or stolen mobile operating system (OS) based CMD devices, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.Information Assurance OfficerECSC-1, VIIR-1, VIIR-2

Checks: C-31122r4_chk

Detailed Policy Requirements: The site (location where CMDs are issued and managed and the site where the mobile operating system (OS) based CMD management server is located) must publish procedures to follow if a CMD has been lost or stolen. The procedures should include (as appropriate): -Mobile device user notifies IAO, SM, and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. -The IAO notifies the mobile device management server system administrator and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. The site mobile device management server administrator sends a wipe command to the CMD and then disables the user account on the management server or removes the CMD from the user account. -The site will contact the carrier to have the device deactivated on the carrier’s network. Check procedures: Interview the IAO. Review the site’s Incident Response Plan or other policies and determine if the site has a written plan of action. Mark as a finding if the site does not have a written plan of action following a lost or stolen CMD.

Fix: F-27603r2_fix

Publish procedures to follow if a mobile operating system (OS) based CMD is lost or stolen.

a

The mobile device SA must perform a wipe command on all new or reissued CMDs and a STIG-compliant IT policy will be pushed to the device before issuing it to DoD personnel.

Low - V-24963 - SV-30700r3_rule

RMF Control

Severity

L

CCI

Version

WIR-SPP-008-01

Vuln IDs

V-24963

Rule IDs

SV-30700r3_rule

Malware can be installed on the device at some point between shipping from the factory and delivery to DoD. The malware could result in the compromise of sensitive DoD information or result in the introduction of malware within the DoD network.System AdministratorInformation Assurance OfficerECWN-1

Checks: C-31126r5_chk

Detailed Policy Requirements: The CMD system administrator must perform a wipe command on all new or reissued CMDs, reload system software, and load a STIG-compliant security policy on the CMD before issuing it to DoD personnel and placing the device on a DoD network. The intent is to return the device to the factory state before the DoD software baseline is installed. When wireless activation is performed, the activation password is passed to the user in a secure manner (e.g., activation password is encrypted and emailed to an individual). Check Procedures: Interview the IAO. Verify required procedures are followed. Mark as a finding if required procedures were not followed.

Fix: F-27597r3_fix

Perform a wipe command on all new or reissued mobile devices.

a

Mobile device software updates must only originate from approved DoD sources.

Low - V-24964 - SV-30701r3_rule

RMF Control

Severity

L

CCI

Version

WIR-SPP-008-02

Vuln IDs

V-24964

Rule IDs

SV-30701r3_rule

Users must not accept Over-The-Air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and approved by the IAO. Unauthorized/unapproved software updates could include malware or cause a degradation of the security posture of the CMD and DoD network infrastructure. All software updates should be reviewed and/or tested by the smartphone system administrator and originate from a DoD source or DoD-approved source. Wireless software updates should be pushed from the CMD management server, when this feature is available.System AdministratorECWN-1

Checks: C-31127r5_chk

Detailed Policy Requirements: Software updates must come from either DoD sources or DoD approved sources. CMD system administrators should push OTA software updates from the CMD management server, when this feature is available. Otherwise the site administrator should verify the non-DoD source of the update has been approved by IT management. Check Procedures: Interview the IAO and CMD management server system administrator. -Verify the site mobile device handheld and mobile device management server administrators are aware of the requirements. -Determine what procedures are used at the site for installing software updates on site-managed CMDs. Mark as a finding if the site does not have procedures in place, so users can down-load software updates from a DoD source or DoD approved source.

Fix: F-27598r3_fix

Ensure CMD software updates originate from DoD sources or approved non-DoD sources only. Users do not accept Over-The-Air (OTA) wireless software updates from non-approved sources.

b

CMD Instant Messaging (IM) client application must connect only to a DoD controlled IM server compliant with the Instant Messaging STIG.

Medium - V-24965 - SV-30702r3_rule

RMF Control

Severity

M

CCI

Version

WIR-SPP-009

Vuln IDs

V-24965

Rule IDs

SV-30702r3_rule

Non-DoD IM servers can be located anywhere in the world and may be under an adversary’s control. If a DoD CMD IM client connects to a non-DoD IM server, malware could be installed on the CMD from the server or sensitive DoD data on the CMD could be transferred to the server. In addition, if malware is installed on the CMD, this could lead to hacker attacks on the DoD enclave the CMD connects to.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-31129r7_chk

Interview the IAO or CMD system administrator and determine if CMD IM is used on site-managed CMDs. If yes, determine what server the CMD IM system connects to. - The server should be managed by a DoD site. - The IM system must be compliant with the Instant Messaging STIG. Mark as a finding if the IM server, the CMD IM app connects to, is not managed by a DoD site and is not compliant with the IM STIG.

Fix: F-27600r2_fix

Ensure the IM client application connects only to a DoD controlled IM server compliant with the Instant Messaging STIG.

a

The site wireless policy or wireless remote access policy must include information on required CMD Wi-Fi security controls.

Low - V-24966 - SV-30703r4_rule

RMF Control

Severity

L

CCI

Version

WIR-SPP-010

Vuln IDs

V-24966

Rule IDs

SV-30703r4_rule

If the policy does not include information on Wi-Fi security controls, then it is more likely that the security controls will not be implemented properly. Wi-Fi is vulnerable to a number of security breaches without appropriate controls. These breaches could involve the interception of sensitive DoD information and the use of the device to connect to DoD networks. System AdministratorInformation Assurance OfficerECWN-1

Checks: C-31130r5_chk

Detailed Policy Requirements: -The site wireless security policy or wireless remote access policy shall include information on locations where CMD Wi-Fi access is approved or disapproved. The following locations will be specifically listed in the policy: -Site-managed Wi-Fi access point connected to the NIPRNet (Enclave-NIPRNet Connected). -Site-managed Wi-Fi access point connected to the Internet only (Internet Gateway Only Connection). -Public Wi-Fi Hotspot. -Hotel Wi-Fi Hotspot. -Home Wi-Fi network (user managed). Note: DoD CMD will not be used to connect to Public or Hotel Hotspots. Check Procedures: Review the site policy. Verify it contains the required information. Mark as a finding if site policy does not include information on required CMD Wi-Fi security controls.

Fix: F-27601r3_fix

Publish CMD Wi-Fi security policy that includes information on required CMD Wi-Fi security controls.

a

Mobile devices must be provisioned with DoD PKI digital certificates, so users can digitally sign and encrypt email notifications or other email messages required by DoD policy. DAA approval will be obtained prior to the use of software PKI certificates on mobile devices.

Low - V-24968 - SV-30705r4_rule

RMF Control

Severity

L

CCI

Version

WIR-SPP-011

Vuln IDs

V-24968

Rule IDs

SV-30705r4_rule

S/MIME provides the user with the ability to digitally sign and encrypt email messages, to verify the digital signatures on received messages, and to decrypt messages received from others if those messages are encrypted. Digital signatures provide strong cryptographic assurance of the authenticity and integrity of the signed message, including attachments. This capability protects against the insertion of malicious mobile code and social engineering attacks in which an adversary masquerades as a known user, as well as other exploits. Encryption provides confidentiality for sensitive information, which is particularly valuable when messages are sent to or received from users external to DoD messaging infrastructure, as such messages would otherwise travel in the clear over the public Internet. The use of software certificates adds additional risk of compromise to the user's digital certificates and to the DoD PKI infrastructure. DoD PKI certificates may not be provisioned in the native mobile operating system certificate store unless the certificate is protected with a valid FIPS 140-2 validated cryptographic module. Information Assurance OfficerECSC-1

Checks: C-31132r6_chk

The DAA may approve the use of software certificates until approved CAC readers are available and can be purchased and fielded by the site. If user software certificates are used on site managed CMDs instead of the CAC, verify the DAA has approved their use (in a letter, memo, SSP, etc.) and that a DoD-approved CAC reader is not available for the CMD. Mark as a finding if the site uses software certificates on site managed CMDs and the DAA has not approved their use. Mark as a finding if the site uses DoD PKI digital certificates natively on a mobile device.

Fix: F-27602r1_fix

Obtain DAA approval for the use of software certificates or purchase approved CAC readers.

a

Required actions must be followed at the site when a CMD has been lost or stolen.

Low - V-24969 - SV-30706r4_rule

RMF Control

Severity

L

CCI

Version

WIR-SPP-007-02

Vuln IDs

V-24969

Rule IDs

SV-30706r4_rule

If procedures for lost or stolen CMDs are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-31133r2_chk

Interview the IAO. Determine if any site mobile devices were reported lost or stolen within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. Mark as a finding if the site had a lost or stolen mobile device within the previous 24 months and required procedures were not followed.

Fix: F-27592r3_fix

Follow required actions when a CMD is reported lost or stolen.

a

Users must receive training on required topics before they are authorized to access a DoD network via a wireless remote access device.

Low - V-25034 - SV-30836r4_rule

RMF Control

Severity

L

CCI

Version

WIR-WRA-001

Vuln IDs

V-25034

Rule IDs

SV-30836r4_rule

Improper use of wireless remote access to a DoD network can compromise both the wireless client and the network, as well as, expose DoD data to unauthorized people. Without adequate training remote access users are more likely to engage in behaviors that make DoD networks and information more vulnerable to security exploits.System AdministratorInformation Assurance OfficerPRTN-1

Checks: C-31258r7_chk

Detailed Policy Requirements: The IAO and the site wireless device administrator must ensure all wireless remote access users receive training on the following topics before they are authorized to access a DoD network via a wireless remote access device: - Maintaining physical control of the device. - Reducing exposure of sensitive data. - User authentication and content encryption requirements. - Enabling wireless interfaces only when needed. - Enable VPN connection to the DoD network immediately after establishing a wireless connection (using an approved VPN client). - All Internet browsing will be done via the VPN connection to the DoD network. - No split tunneling of VPN. - Locations where wireless remote access is authorized or not authorized (i.e., home, airport, hotel, etc.). - Wireless client configuration requirements. - Use of WPA2 Personal (AES) on home WLAN. - Home WLAN password and SSID requirements - Discontinue the use of devices suspected of being tampered with and notify the site IAO. Check Procedures: Review site wireless device and/or IA awareness training material to verify it contains the required content. Note: Some training content may be listed in the User Agreement signed by the user. Verify site training records show authorized wireless remote access users received required training and training occurred before the users were issued a device. Check training records for approximately five users, picked at random. Mark as a finding if wireless remote access users have not received required training.

Fix: F-27724r2_fix

Complete required training.

a

The site must have a Wireless Remote Access Policy signed by the site DAA, Commander, Director, or other appropriate authority.

Low - V-25035 - SV-30837r4_rule

RMF Control

Severity

L

CCI

Version

WIR-WRA-002

Vuln IDs

V-25035

Rule IDs

SV-30837r4_rule

Wireless clients, DoD data, and the DoD network could be compromised if operational policies for the use of wireless remote access are not documented by the site.System AdministratorInformation Assurance OfficerECWN-1

Checks: C-31259r4_chk

Detailed Policy Requirements: A site's Remote Access Policy will be written and signed by the site DAA, Commander, Director, or other appropriate manager. Recommend the policy includes required security controls for the DoD-owned/operated wireless client (PDA, smartphone, or tablet): - Device unlock password requirements. - Client software patches kept up to date - Internet browsing though enterprise Internet gateway. - Device security policy managed by centrally-managed policy manager. - Procedures after client is lost, stolen, or other security incident occurs. - Configuration requirements of wireless client - Home WLAN authentication requirements. - Home WLAN SSID requirements. - Separate WLAN access point required for home WLAN. - 8+-character authentication password required for home WLAN. - Use of third-party Internet portals (kiosks) (approved or not approved). - Use of personally-owned or contractor-owned client devices (approved or not approved). - Implementation of health check of client device before connection is allowed. - Places where remote access is approved (home, hotels, airport, etc.). - Roles and responsibilities: --Which users or groups of users are and are not authorized to use organization's WLANs. --Which parties are authorized and responsible for installing and configuring APs and other WLAN equipment. - WLAN infrastructure security: --Physical security requirements for WLANs and WLAN devices, including limitations on the service areas of WLANs. --Types of information that may and may not be sent over WLANs, including acceptable use guidelines. - WLAN client device security: --The conditions under which WLAN client devices are and are not allowed to be used and operated. --Standard hardware and software configurations that must be implemented on WLAN client devices to ensure the appropriate level of security. --Limitations on how and when WLAN client’s device may be used, such as specific locations. --Avoid connecting to WLAN access points with WEP security due to the security issues with this protocol. - Guidelines on reporting losses of WLAN client devices and reporting WLAN security incidents. - Guidelines for the protection of WLAN client devices to reduce theft. Check Procedures: Interview the IAO and/or the site wireless device administrator and determine if the site has a wireless remote access policy (or a wireless section in a general remote access policy). Verify the policy has been signed by the site DAA, Commander, Director, or other appropriate managers. Mark as a finding if a wireless remote access policy does not exist or is not signed.

Fix: F-27725r3_fix

Publish Wireless Remote Access Policy signed by the site DAA, Commander, Director, or other appropriate authority.

a

The site physical security policy must include a statement if CMDs with digital cameras (still and video) are permitted or prohibited on or in the DoD facility.

Low - V-25036 - SV-30838r3_rule

RMF Control

Severity

L

CCI

Version

WIR-WRA-003

Vuln IDs

V-25036

Rule IDs

SV-30838r3_rule

Wireless client, networks, and data could be compromised if unapproved wireless remote access is used. In most cases, unapproved devices are not managed and configured as required by the appropriate STIG and the site’s overall network security controls are not configured to provide adequate security for unapproved devices. When listed in the SSP, the site has shown that security controls have been designed to account for the wireless devices.Information Assurance OfficerDesignated Approving AuthorityECWN-1

Checks: C-31260r4_chk

This requirement applies to mobile operating system (OS) CMDs. Work with traditional reviewer to review site’s physical security policy. Verify the site addresses CMDs with embedded cameras. Mark this as a finding if there is no written physical security policy outlining whether CMDs with cameras (still and video) are permitted or prohibited on or in the DoD facility.

Fix: F-27726r5_fix

Publish a site physical security policy that includes a statement if CMDs with cameras (still and video) are permitted or prohibited on or in the DoD facility.

a

Mobile users must complete required training annually.

Low - V-28317 - SV-36045r4_rule

RMF Control

Severity

L

CCI

Version

WIR-SPP-006-02

Vuln IDs

V-28317

Rule IDs

SV-36045r4_rule

Users are the first line of security controls for CMD systems. They must be trained in using CMD security controls or the system could be vulnerable to attack. If training is not renewed on an annual basis, users may not be informed of new security procedures or may forget previously trained procedures, which could lead to an exposure of sensitive DoD information.Information Assurance OfficerPETN-1

Checks: C-35165r4_chk

This requirement applies to mobile operating system (OS) CMDs. All CMD users must receive required training annually. Mark as a finding if training records do not show users receiving required training at least annually.

Fix: F-30413r2_fix

Complete required training annually for all CMD users.

b

All non-core applications on the CMD must be approved by the DAA or the Command IT Configuration Control Board.

Medium - V-32674 - SV-43020r2_rule

RMF Control

Severity

M

CCI

Version

WIR-SPP-020

Vuln IDs

V-32674

Rule IDs

SV-43020r2_rule

Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). The DAA or Command IT Configuration Control Board is responsible for setting up procedures to review, test, and approve CMD applications. It is expected the process will be similar to what is used to approve and manage applications on command PCs.Designated Approving AuthorityECWN-1

Checks: C-41049r3_chk

Core applications are applications included in the CMD operating system. Applications added by the wireless carrier are not considered core applications. All non-core applications on the CMD must be approved by the DAA or the Command IT Configuration Control Board. -Select 3-4 random devices managed by the site to review. -Make a list of non-core applications on each device. --Have the user log into the device. View all App icons on the home screen or in folders on the home screen. --If an App is not in the list of core Apps (see below), then note the name of the App. --Verify the site has written approval to use the App from the DAA or site IT CCB. -Mark as a finding if any App has not been approved. A list of standard core mobile OS applications can be found in the mobile device manual from the handset manual.

Fix: F-36581r1_fix

Have DAA or Command IT CCB review and approve all non-core applications on mobile OS devices.

c

A security risk analysis must be performed on a mobile application by the DAA or DAA authorized authority prior to the application being approved for use.

High - V-32677 - SV-43023r2_rule

RMF Control

Severity

H

CCI

Version

WIR-SPP-021

Vuln IDs

V-32677

Rule IDs

SV-43023r2_rule

Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). Designated Approving AuthorityDCCT-1

Checks: C-41050r5_chk

Detailed Requirements: Core applications are applications included in the mobile device operating system. Applications added by the wireless carrier are not considered core applications. A security risk analysis must be performed by the DAA or DAA approved approval authority prior to a mobile OS application being approved for use. - Since the native cryptographic module included in iOS is not FIPS 140-2 validated, non-core applications can only be approved if they meet the following conditions: -- The application does not synchronize or store any sensitive data locally on the device; or -- The application synchronizes and stores sensitive data locally on the device and the data-at-rest, as well as, data-in-transit is encrypted using a FIPS 140-2 validated cryptographic module. - The application review and approval process must include an evaluation of what OS level permissions are required by the application and how the application shares data and memory space with other applications. The review process must also ensure: - Approved applications do not contain malware or share data stored on the mobile OS device with non-DoD servers. Check Procedures: Review this check after reviewing check WIR-SPP-020. Determine if any non-core mobile OS applications have been approved by the DAA. - If no, this check is not applicable. - If yes, complete the following procedures: Ask the site for documentation showing what security risk analysis procedures are used by the DAA prior to approving non-core applications for use. Determine if the procedures include an evaluation of the following: - What OS level permissions are required by the application? - The application does not contain malware. - The application does not share data stored on the CMDs with non-DoD servers. - If the application stores sensitive data, the application data storage container uses FIPS 140-2 validated cryptographic module. - Mark as a finding if a security review was not conducted on approved applications or the application security risk review procedures do not contain the required risk assessment evaluation tasks.

Fix: F-36582r2_fix

Have DAA or Command IT CCB use the required procedures to review mobile applications prior to approving them.

Checks: C-31111r3_chk

Fix: F-27579r3_fix

Generate Mitigation Statement:

Checks: C-31114r4_chk

Fix: F-27582r3_fix

Generate Mitigation Statement:

Checks: C-31115r3_chk

Fix: F-27583r4_fix

Generate Mitigation Statement:

Checks: C-31118r5_chk

Fix: F-27586r3_fix

Generate Mitigation Statement:

Checks: C-31119r4_chk

Fix: F-27587r4_fix

Generate Mitigation Statement:

Checks: C-31120r13_chk

Fix: F-27591r4_fix

Generate Mitigation Statement:

Checks: C-31122r4_chk

Fix: F-27603r2_fix

Generate Mitigation Statement:

Checks: C-31126r5_chk

Fix: F-27597r3_fix

Generate Mitigation Statement:

Checks: C-31127r5_chk

Fix: F-27598r3_fix

Generate Mitigation Statement:

Checks: C-31129r7_chk

Fix: F-27600r2_fix

Generate Mitigation Statement:

Checks: C-31130r5_chk

Fix: F-27601r3_fix

Generate Mitigation Statement:

Checks: C-31132r6_chk

Fix: F-27602r1_fix

Generate Mitigation Statement:

Checks: C-31133r2_chk

Fix: F-27592r3_fix

Generate Mitigation Statement:

Checks: C-31258r7_chk

Fix: F-27724r2_fix

Generate Mitigation Statement:

Checks: C-31259r4_chk

Fix: F-27725r3_fix

Generate Mitigation Statement:

Checks: C-31260r4_chk

Fix: F-27726r5_fix

Generate Mitigation Statement:

Checks: C-35165r4_chk

Fix: F-30413r2_fix

Generate Mitigation Statement:

Checks: C-41049r3_chk

Fix: F-36581r1_fix

Generate Mitigation Statement:

Checks: C-41050r5_chk

Fix: F-36582r2_fix

Generate Mitigation Statement: