L3 KOV-26 Talon (Wireless Role) Security Technical Implementation Guide (STIG)


Version/Release Published Filters Downloads Update
V6R7 2014-04-07      
Update existing CKLs to this version of the STIG
This STIG contains the technical security controls for the operation of a L3 KOV-26 Talon (Wireless Role) encryptor in the DoD environment.
Vuln Rule Version CCI Severity Title Description
SV-3512r1_rule WIR0235 HIGH NSA Type1 products and required procedures must be used to protect classified data at rest (DAR) on wireless devices used on a classified WLAN or WMAN. NSA Type 1 products provide a high level of assurance that cryptography is implemented correctly and meets the standards for storage of classified information. Use of cryptography that is not Type 1 certified violates policy and increases the risk that classified data will be compromised. Information Assurance OfficerECWN-1
SV-4636r1_rule WIR0210 HIGH A Secure WLAN (SWLAN) must conform to an approved network architecture. Approved network architectures have been assessed for IA risk. Non-approved architectures provide less assurance than approved architectures because they have not undergone the same level of evaluation.Information Assurance OfficerECSC-1, ECWN-1
SV-7459r1_rule WIR0230 LOW The site must have written procedures for the protection, handling, accounting, and use of NSA Type 1 products. Written procedures provide assurance that personnel take the required steps to prevent loss of keys or other breaches of system security.Information Assurance OfficerECSC-1
SV-14613r2_rule WIR0170 MEDIUM A device’s wired network interfaces (e.g., Ethernet) must be disconnected or otherwise disabled when wireless connections are in use. If a client device supports simultaneous use of wireless and wired connections, then this increases the probability that an adversary who can access the device using its wireless interface can then route traffic through the device’s wired interface to attack devices on the wired network or obtain sensitive DoD information.System AdministratorInformation Assurance OfficerECWN-1
SV-15614r1_rule WIR0105 LOW WLAN SSIDs must be changed from the manufacturer’s default to a pseudo random word that does not identify the unit, base, organization, etc. An SSID identifying the unit, site or purpose of the WLAN or is set to the manufacturer default may cause an OPSEC vulnerability.System AdministratorECSC-1, ECWN-1
SV-16085r1_rule WIR0205 HIGH Any wireless technology used to transmit classified information must be an NSA Type 1 product. NSA Type 1 certification provides the level of assurance required for transmission of classified data. Systems without this certification are more likely to be compromised by a determined and resourceful adversary.System AdministratorInformation Assurance OfficerECWM-1
SV-20126r1_rule WIR0215 HIGH A Secure WLAN (SWLAN) connected to the SIPRNet must have a SIPRNet connection approval package must be on file with the Classified Connection Approval Office (CCAO). The CCAO approval process provides assurance that the SWLAN use is appropriate and does not introduce unmitigated risks into the SIPRNET.ECWN-1
SV-20127r1_rule WIR0220 MEDIUM Before a Secure WLAN (SWLAN) becomes operational and is connected to the SIPRNet the Certified TEMPEST Technical Authority (CTTA) must be notified. Wireless signals are extremely vulnerable to both detection and interception, which can provide an adversary with the location and intensity of particular DoD activities and potentially reveal classified DoD information. TEMPEST reviews provide assurance that unacceptable risks have been identified and mitigated.Information Assurance OfficerDesignated Approving AuthorityECWN-1
SV-20128r1_rule WIR0225 MEDIUM Physical security controls must be implemented for SWLAN access points. If an adversary is able to gain physical access to a SWLAN device, it may be able to compromise the device in a variety of ways, some of which could enable the adversary to obtain classified data. Physical security controls greatly mitigate this risk.System AdministratorInformation Assurance OfficerECTM-2, ECWN-1
SV-40014r1_rule WIR0226 LOW SWLAN access points must implement MAC filtering. Medium access control (MAC) filtering is a mechanism for ensuring that only authorized devices connect to the WLAN. While there are other methods to achieve similar protection with greater assurance, MAC filtering can be employed as a defense-in-depth measure. System AdministratorInformation Assurance OfficerECWN-1
SV-40029r1_rule WIR0231 HIGH SWLAN must be rekeyed at least every 90 days. The longer a key remains in use, the more likely it will be compromised. If an adversary can compromise an SWLAN key, then it can obtain classified information. ECWN-1