This STIG contains the technical security controls for the operation of a L3 KOV-26 Talon (Wireless Role) encryptor in the DoD environment.
NSA Type1 products and required procedures must be used to protect classified data at rest (DAR) on wireless devices used on a classified WLAN or WMAN.
NSA Type 1 products provide a high level of assurance that cryptography is implemented correctly and meets the standards for storage of classified information. Use of cryptography that is not Type 1 certified violates policy and increases the risk that classified data will be compromised. Information Assurance OfficerECWN-1
A Secure WLAN (SWLAN) must conform to an approved network architecture.
Approved network architectures have been assessed for IA risk. Non-approved architectures provide less assurance than approved architectures because they have not undergone the same level of evaluation.Information Assurance OfficerECSC-1, ECWN-1
The site must have written procedures for the protection, handling, accounting, and use of NSA Type 1 products.
Written procedures provide assurance that personnel take the required steps to prevent loss of keys or other breaches of system security.Information Assurance OfficerECSC-1
A device’s wired network interfaces (e.g., Ethernet) must be disconnected or otherwise disabled when wireless connections are in use.
If a client device supports simultaneous use of wireless and wired connections, then this increases the probability that an adversary who can access the device using its wireless interface can then route traffic through the device’s wired interface to attack devices on the wired network or obtain sensitive DoD information.System AdministratorInformation Assurance OfficerECWN-1
WLAN SSIDs must be changed from the manufacturer’s default to a pseudo random word that does not identify the unit, base, organization, etc.
An SSID identifying the unit, site or purpose of the WLAN or is set to the manufacturer default may cause an OPSEC vulnerability.System AdministratorECSC-1, ECWN-1
Any wireless technology used to transmit classified information must be an NSA Type 1 product.
NSA Type 1 certification provides the level of assurance required for transmission of classified data. Systems without this certification are more likely to be compromised by a determined and resourceful adversary.System AdministratorInformation Assurance OfficerECWM-1
A Secure WLAN (SWLAN) connected to the SIPRNet must have a SIPRNet connection approval package must be on file with the Classified Connection Approval Office (CCAO).
The CCAO approval process provides assurance that the SWLAN use is appropriate and does not introduce unmitigated risks into the SIPRNET.ECWN-1
Before a Secure WLAN (SWLAN) becomes operational and is connected to the SIPRNet the Certified TEMPEST Technical Authority (CTTA) must be notified.
Wireless signals are extremely vulnerable to both detection and interception, which can provide an adversary with the location and intensity of particular DoD activities and potentially reveal classified DoD information. TEMPEST reviews provide assurance that unacceptable risks have been identified and mitigated.Information Assurance OfficerDesignated Approving AuthorityECWN-1
Physical security controls must be implemented for SWLAN access points.
If an adversary is able to gain physical access to a SWLAN device, it may be able to compromise the device in a variety of ways, some of which could enable the adversary to obtain classified data. Physical security controls greatly mitigate this risk.System AdministratorInformation Assurance OfficerECTM-2, ECWN-1
SWLAN access points must implement MAC filtering.
Medium access control (MAC) filtering is a mechanism for ensuring that only authorized devices connect to the WLAN. While there are other methods to achieve similar protection with greater assurance, MAC filtering can be employed as a defense-in-depth measure. System AdministratorInformation Assurance OfficerECWN-1
SWLAN must be rekeyed at least every 90 days.
The longer a key remains in use, the more likely it will be compromised. If an adversary can compromise an SWLAN key, then it can obtain classified information. ECWN-1