General Mobile Device (Technical) (Non-Enterprise Activated) Security Technical Implementation Guide

U_General_Mobile_Device_Technical_(NEA)_V1R4_manual-xccdf.xml

This STIG provides technical security controls for the use of mobile devices (smartphone and tablets) that are not authorized to be connected to a DoD network or store or process sensitive or classified DoD data/information. Non-enterprise activated refers to any device that is operated under the use conditions found in Section 2.1 of the STIG overview document. See section 1.1 of the STIG overview document for additional information.
Details

Version / Release: V1R4

Published: 2013-07-03

Updated At: 2018-09-23 02:42:07

Actions

Download

Filter

Vuln Rule Version CCI Severity Title Description
SV-40110r2_rule WIR-MOS-NS-006-01 LOW All non-core applications on mobile devices must be approved by the DAA or Command IT Configuration Control Board. Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). The DAA or Command IT Configuration Control Board (CCB) is responsible for setting up procedures to review, test, and approve smartphone applications. It is expected the process will be similar to what is used to approve and manage applications on command PCs.Designated Approving AuthorityInformation Assurance OfficerInformation Assurance ManagerDCCB-1, ECWN-1
SV-40111r2_rule WIR-MOS-NS-010 LOW Smartphones must be configured to require a password/passcode for device unlock. Sensitive DoD data could be compromised if a device unlock password/passcode is not set up on DoD smartphones.System AdministratorECWN-1, IAIA-1
SV-40112r2_rule WIR-MOS-NS-016 LOW The smartphone inactivity timeout must be set. Sensitive DoD data could be compromised if the smartphone does not automatically lock after the required period of inactivity.System AdministratorPESL-1
SV-40113r2_rule WIR-MOS-NS-011 LOW The device minimum password/passcode length must be set. Sensitive DoD data could be compromised if a device unlock password/passcode is not set to required length on DoD smartphones. System AdministratorECWN-1, IAIA-1
SV-40117r2_rule WIR-MOS-NS-050-01 LOW The installation of user owned applications on the mobile device must be based on the Command’s Mobile Device Personal Use Policy. The risk of installing personally owned or freeware apps on a DoD mobile device should be evaluated by the DAA against mission need and how the device is intended to be used. There is a risk that personally owned or freeware apps could introduce malware on the device, which could impact the performance of the device and corrupt non-sensitive data stored on the device.Designated Approving AuthorityInformation Assurance OfficerECWN-1
SV-40123r2_rule WIR-MOS-NS-050-02 LOW The use of the mobile device to view and/or download personal email must be based on the Command’s Mobile Device Personal Use Policy. The risk of viewing and downloading personal email on a non-DoD-network connected mobile device that does not contain sensitive or classified DoD data/information should be evaluated by the DAA against mission need and how the device is intended to be used. There is a risk that personal email could introduce malware on the device, which could impact the performance of the device and corrupt non-sensitive data stored on the device.Information Assurance OfficerECWN-1
SV-40125r2_rule WIR-MOS-NS-050-03 LOW Download of user owned data (music files, picture files, etc.) on mobile devices must be based on the Command’s Mobile Device Personal Use Policy. The risk of installing user owned data (music files, picture files, etc.) on a non-DoD-network connected mobile device that does not contain sensitive or classified DoD data/information should be evaluated by the DAA against mission need and how the device is intended to be used. There is a risk that user owned data (music files, picture files, etc.) could introduce malware on the device, which could impact the performance of the device and corrupt non-sensitive data stored on the device.Information Assurance OfficerECWN-1
SV-40127r2_rule WIR-MOS-NS-050-04 LOW Connecting mobile devices to user social media web accounts (Facebook, Twitter, etc.) must be based on the Command’s Mobile Device Personal Use Policy. The risk of connecting to user social media web accounts on a non-DoD-network connected mobile device that does not contain sensitive or classified DoD data/information should be evaluated by the DAA against mission need and how the device is intended to be used. There is a risk that connecting to user social media web accounts could introduce malware on the device, which could impact the performance of the device and corrupt non-sensitive data stored on the device.Information Assurance OfficerECWN-1