General Wireless Policy Security Technical Implementation Guide


This STIG provides policy, training, and operating procedure security controls for the use of wireless devices and systems in the DoD environment. This STIG applies to any wireless device (such as WLAN Access Points and clients, Bluetooth devices, smartphones and cell phones, wireless keyboards and mice, and wireless remote access devices) used to store, process, transmit or receive DoD information.

Version / Release: V1R4

Published: 2011-04-08

Updated At: 2018-09-23 02:43:07




Vuln Rule Version CCI Severity Title Description
SV-8778r17_rule WIR0005 HIGH All wireless systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) must be approved by the Designated Approval Authority (DAA) prior to installation and use for processing DoD information. Unauthorized wireless systems expose DoD networks to attack. The DAA and appropriate commanders must be aware of all wireless systems used at the site. All wireless systems must be kept to a minimum needed for operations. DAAs should ensure a risk assessment for each system including associated services and peripherals is conducted before approving. Accept risks only when needed to meet mission requirements.Information Assurance OfficerECWN-1
SV-8779r14_rule WIR0015 LOW The site IAO will maintain a list of all DAA-approved wireless and non-wireless PED devices that store, process, or transmit DoD information. The site must maintain a list of all DAA-approved wireless devices. Close tracking of authorized wireless devices will facilitate the search for rogue devices. Sites must keep good inventory control over wireless and handheld devices that are used to store, process, and transmit DoD data since these devices can be easily lost or stolen leading to possible exposure of DoD data.System AdministratorDCHW-1
SV-8792r12_rule WIR0020 LOW Wireless devices that connect directly or indirectly (e.g., ActiveSync, wireless, etc.) to the network will be included in the site System Security Plan (SSP). The DAA and site commander must be aware of all approved wireless devices used at the site or DoD data could be exposed to unauthorized people. Documentation of the enclave configuration must include all attached systems. If the current configuration cannot be determined, then it is difficult to apply security policies effectively. Security is particularly important for wireless technologies attached to the enclave network because these systems increase the potential for eavesdropping and other unauthorized access to network resources.Information Assurance OfficerEBCR-1
SV-12625r16_rule WIR0035 HIGH Wireless devices are not permitted in a permanent, temporary, or mobile Sensitive Compartmented Information Facilities (SCIFs), unless approved by the SCIF Cognizant Security Authority (CSA) in accordance with Intelligence Community Directive 503 and Director Central Intelligence Directive (DCID) 6/9, the DAA, and the site Special Security Officer (SSO). For SME PED: This requirement is not applicable. This check will automatically be included in a security reviewer’s checklist by VMS. Emanations from computing devices in the secured area may be transmitted or picked up inadvertently by wireless devices.Information Assurance OfficerECSC-1, ECWN-1
SV-12659r13_rule WIR0040 MEDIUM Wireless devices must not be operated in areas where classified information is electronically stored, processed, or transmitted unless required conditions are followed. Note: This requirement is Not Applicable for SME PED. The operation of electronic equipment and emanations must be controlled in and around areas where sensitive information is kept or processed. Sites should post signs and train users to this requirement to mitigate this vulnerability.ECWN-1
SV-14593r21_rule WIR0030 LOW All users of mobile devices or wireless devices must sign a user agreement before the mobile or wireless device is issued to the user and the user agreement used at the site does must include required content listed below. Lack of user training and understanding of responsibilities to safeguard wireless technology are a significant vulnerability to the enclave. Once policies are established, users must be trained to these requirements or the risk to the network remains. User agreements are particularly important for mobile and remote users since there is a high risk of loss, theft, or compromise. Thus, this signed agreement is a good best practice to help ensure the site is confirming the user is aware of the risks and proper procedures. Information Assurance OfficerECWN-1, PRTN-1
SV-15662r9_rule WIR0025 MEDIUM All wireless network devices such as wireless Intrusion Detection System (IDS) and wireless routers, access points, gateways, and controllers must be located in a secure room with limited access or otherwise secured to prevent tampering or theft. DoD data and the network could be exposed to attack if wireless network devices are not physically protected. The NSO will ensure all wireless network devices (i.e., IDS, routers, servers, Remote Access System (RAS), firewalls, WLAN access points, etc.) and wireless management and email servers are located in a secure room with limited access or otherwise secured to prevent tampering or theft.System AdministratorECSC-1, ECWN-1
SV-16721r9_rule WIR0010 LOW DAA must approve the use of personally-owned PEDs that are used to transmit, receive, store, or process DoD information. Owner must sign a forfeiture agreement in case of a security incident. The use of unauthorized personally-owned wireless devices to receive, store, process or transmit DoD data could expose sensitive DoD data to unauthorized people. The use of personally-owned PEDs must be controlled by the site. Users must agree to forfeit the PED when security incidents occur, follow all required security procedures, and install required software in order to protect the DoD network.System AdministratorECSC-1, ECWN-1
SV-21976r4_rule WIR0045 HIGH Computers with an embedded wireless system must have the radio removed before the computer is used to transfer, receive, store, or process classified information. With the increasing popularity of wireless networking, many OEMs embedded the wireless NIC in the computer. Although the system administrator may disable these embedded NICs, the user may purposefully or accidentally enable the device. These devices may also inadvertently transmit ambient sound or electronic signals. Therefore, simply disabling the transmit capability is an inadequate solution for computers processing classified information. In addition, embedded wireless cards do not meet DoD security requirements for classified wireless usage.ECWN-1