Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Mobile Policy Security Technical Implementation Guide (STIG)

V2R3 · · · Released 28 Oct 2016 · 4 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This STIG provides policy, training, and operating procedure security controls for the use of mobile devices and systems in the DoD environment. This STIG applies to any mobile operating system device used to store, process, transmit, or receive DoD information. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Sort by
c
All wireless/mobile systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) must be approved by the approval authority prior to installation and use for processing DoD information.
High - V-8283 - SV-8778r6_rule
RMF Control
Severity
H
CCI
Version
WIR0005
Vuln IDs
  • V-8283
Rule IDs
  • SV-8778r6_rule
Unauthorized wireless systems expose DoD networks to attack. The Authorizing Official (AO) and appropriate commanders must be aware of all wireless systems used at the site. AOs should ensure a risk assessment for each system, including associated services and peripherals, is conducted before approving. Accept risks only when needed to meet mission requirements.Information Assurance OfficerDesignated Approving AuthorityInformation Assurance Manager
Checks: C-3890r7_chk

1. Request copies of written AO approval documentation for wireless/mobile devices used by the site. 2. Verify AO approval for wireless/mobile devices in use at the site. Note: The AO approval for wireless/mobile systems does not need to be documented separately from other AO approval documents for the site network, as long as the approval documents list the wireless/mobile systems in use at the site. For example, if a site network ATO lists the wireless system, the ATO meets the requirements of this check. If the AO has not approved all wireless/mobile devices used at the site, this is a finding.

Fix: F-19194r4_fix

Obtain AO approval prior to wireless systems being installed and used.

b
Unclassified wireless devices must not be operated in Secure Spaces (as defined in DoDI 8420.01) unless required conditions are followed.
AC-19 - Medium - CCI-002327 - V-12106 - SV-12659r5_rule
RMF Control
AC-19
Severity
M
CCI
CCI-002327
Version
WIR0040
Vuln IDs
  • V-12106
Rule IDs
  • SV-12659r5_rule
The operation of electronic equipment and emanations must be controlled in and around areas where sensitive information is kept or processed. Sites should post signs and train users to this requirement to mitigate this vulnerability.System Administrator
Checks: C-8122r6_chk

Detailed Policy Requirements: Note: This requirement does not apply to NSA-approved classified WLAN systems. The ISSO will ensure wireless devices are not operated in areas where classified information is electronically stored, processed, or transmitted unless: - Approved by the Authorizing Official (AO) in consultation with the Certified TEMPEST Technical Authority (CTTA). - The wireless equipment is separated from the classified data equipment at the minimum distance determined by the CTTA and appropriate countermeasures, as determined by the CTTA, are implemented. Check Procedures: Review documentation. Work with the traditional security reviewer to verify the following: 1. If classified information is not processed at this site, mark as not a finding. 2. If the site has a written procedure prohibiting the use of wireless devices in areas where classified data processing occurs, mark as not a finding. Ask for documentation showing the CTTA was consulted about operation and placement of wireless devices. Acceptable proof would be the signature or initials of the CTTA on the architecture diagram or other evidence of coordination. IAW DoD policy, the CTTA must have a written separation policy for each classified area. 3. Review written policies, training material, or user agreements to see if wireless usage in these areas is addressed. 4. Verify proper procedures for wireless device use in classified areas is addressed in training program. If wireless devices are used in or around classified processing areas but the CTTA has not designated a separation distance in writing, the AO has not coordinated with the CTTA, or users are not trained or made aware (using signage or user agreement) of procedures for wireless device usage in and around classified processing areas, this is a finding.

Fix: F-3423r3_fix

Central Computer and Telecommunication Agency (CTTA) must designate a separation distance in writing. AO must coordinate with the CTTA. Train users or get a signed user agreement on procedures for wireless device usage in and around classified processing areas.

a
All users of mobile devices or wireless devices must sign a user agreement before the mobile or wireless device is issued to the user and the user agreement used at the site must include required content.
Low - V-13982 - SV-14593r6_rule
RMF Control
Severity
L
CCI
Version
WIR0030
Vuln IDs
  • V-13982
Rule IDs
  • SV-14593r6_rule
Lack of user training and understanding of responsibilities to safeguard wireless technology is a significant vulnerability to the enclave. Once policies are established, users must be trained to these requirements or the risk to the network remains. User agreements are particularly important for mobile and remote users since there is a high risk of loss, theft, or compromise. Thus, this signed agreement is a good best practice to help ensure the site is confirming the user is aware of the risks and proper procedures.Information Assurance OfficerInformation Assurance Manager
Checks: C-11415r4_chk

Additional Policy Requirements: The user agreements must include Authorizing Official (AO) authorized tasks for the mobile device and relevant security requirements, including, but not limited to, the following: 1. DoD CIO Memorandum, “Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement,” 09 May 2008 directs the following content will be included in a site User Agreement: STANDARD MANDATORY NOTICE AND CONSENT PROVISION FOR ALL DOD INFORMATION SYSTEM USER AGREEMENTS By signing this document, you acknowledge and consent that when you access Department of Defense (DoD) information systems: - You are accessing a U.S. Government (USG) information system (IS) (which includes any device attached to this information system) that is provided for U.S. Government authorized use only. - You consent to the following conditions: o The U.S. Government routinely intercepts and monitors communications on this information system for purposes including, but not limited to, penetration testing, communications security (COMSEC) monitoring, network operations and defense, personal misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. o At any time, the U.S. Government may inspect and seize data stored on this information system. o Communications using, or data stored on, this information system are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any U.S. Government-authorized purpose. o This information system includes security measures (e.g., authentication and access controls) to protect U.S. Government interests--not for your personal benefit or privacy. o Notwithstanding the above, using an information system does not constitute consent to personnel misconduct, law enforcement, or counterintelligence investigative searching or monitoring of the content of privileged communications or data (including work product) that are related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Under these circumstances, such communications and work product are private and confidential, as further explained below: - Nothing in this User Agreement shall be interpreted to limit the user's consent to, or in any other way restrict or affect, any U.S. Government actions for purposes of network administration, operation, protection, or defense, or for communications security. This includes all communications and data on an information system, regardless of any applicable privilege or confidentiality. - The user consents to interception/capture and seizure of ALL communications and data for any authorized purpose (including personal misconduct, law enforcement, or counterintelligence investigation). However, consent to interception/capture or seizure of communications and data is not consent to the use of privileged communications or data for personnel misconduct, law enforcement, or counterintelligence investigation against any party and does not negate any applicable privilege or confidentiality that otherwise applies. - Whether any particular communication or data qualifies for the protection of a privilege, or is covered by a duty of confidentiality, is determined in accordance with established legal standards and DoD policy. Users are strongly encouraged to seek personal legal counsel on such matters prior to using an information system if the user intends to rely on the protections of a privilege or confidentiality. - Users should take reasonable steps to identify such communications or data that the user asserts are protected by any such privilege or confidentiality. However, the user's identification or assertion of a privilege or confidentiality is not sufficient to create such protection where none exists under established legal standards and DoD policy. - A user's failure to take reasonable steps to identify such communications or data as privileged or confidential does not waive the privilege or confidentiality if such protections otherwise exist under established legal standards and DoD policy. However, in such cases the U.S. Government is authorized to take reasonable actions to identify such communication or data as being subject to a privilege or confidentiality, and such actions do not negate any applicable privilege or confidentiality. - These conditions preserve the confidentiality of the communication or data, and the legal protections regarding the use and disclosure of privileged information, and thus such communications and data are private and confidential. Further, the U.S. Government shall take all reasonable measures to protect the content of captured/seized privileged communications and data to ensure they are appropriately protected. o In cases when the user has consented to content searching or monitoring of communications or data for personnel misconduct, law enforcement, or counterintelligence investigative searching, (i.e., for all communications and data other than privileged communications or data that are related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants), the U.S. Government may, solely at its discretion and in accordance with DoD policy, elect to apply a privilege or other restriction on the U.S. Government's otherwise-authorized use or disclosure of such information. o All of the above conditions apply regardless of whether the access or use of an information system includes the display of a Notice and Consent Banner ("banner"). When a banner is used, the banner functions to remind the user of the conditions that are set forth in this User Agreement, regardless of whether the banner describes these conditions in full detail or provides a summary of such conditions, and regardless of whether the banner expressly references this User Agreement. 2. DoD sites are required to add the following to all site User Agreements: - The agreement should contain the type of access required by the user (privileged, end-user, etc.). - The agreement should contain the responsibilities, liabilities, and security measures (e.g., malicious code detection training) involved in the use of the wireless remote access device. - Incident handling and reporting procedures will be identified along with a designated point of contact. - The remote user can be held responsible for damage caused to a Government system or data through negligence or a willful act. - The policy should contain general security requirements and practices, which are acknowledged and signed by the remote user. - If classified devices are used for remote access from an alternative work site, the remote user will adhere to DoD policy in regard to facility clearances, protection, storage, distributing, etc. - Government owned hardware and software is used for official duties only. The employee is the only individual authorized to use this equipment. - User agrees to complete required wireless device training annually. Check Procedures: 1. Inspect a copy of the site’s user agreement. 2. Verify the user agreement has the minimum elements described in the STIG policy. 3. Select 10 names of assigned site personnel and verify they have a signed user agreement on file for assigned wireless equipment (e.g., wireless laptop, smartphone, tablet, etc.). If site user agreements do not exist or are not compliant with the minimum requirements, this is a finding.

Fix: F-23396r1_fix

Implement User Agreement with required content. Have all users sign a User Agreement.

c
Computers with an embedded wireless system must have the radio removed before the computer is used to transfer, receive, store, or process classified information, unless the wireless system has been certified via the DoD Commercial Solutions for Classified (CSfC) program.
High - V-19813 - SV-21976r6_rule
RMF Control
Severity
H
CCI
Version
WIR0045
Vuln IDs
  • V-19813
Rule IDs
  • SV-21976r6_rule
With the increasing popularity of wireless networking, most laptops have wireless NICs (network interface cards) installed on the laptop motherboard. Although the system administrator may disable these embedded NICs, the user may purposefully or accidentally enable the device. These devices may also inadvertently transmit ambient sound or electronic signals. Therefore, simply disabling the transmit capability is an inadequate solution for computers processing classified information. In addition, embedded wireless cards do not meet DoD security requirements for classified wireless usage.System AdministratorInformation Assurance Officer
Checks: C-24829r3_chk

Interview the IAO and inspect a sample of laptops/PCs (check about 10% if possible, with priority to laptops) used at the site for classified data processing. 1. Ask if there are laptops/PCs used to process classified information that have embedded wireless NICs. No embedded wireless NICs are allowed, including WLAN, Bluetooth, WMAN, cellular, etc. unless the wireless system has been certified via the DoD CSfC program. 2. The NIC should be physically removed. Using methods such as tape or software disabling is not acceptable. Interview the ISSO and determine if the site either bought laptops without wireless NICs (Wi-Fi, Bluetooth, WiMax, etc.) or physically removed the NICs from laptops. Verify the site has procedures in place to ensure laptops with wireless NICs are not used for classified data processing. If laptops or other computers are used to process classified information and have a wireless NIC installed, this is a finding. If this is a finding, recommend to the AO that this is a critical finding requiring immediate action. Allowed exception: The wireless system has been certified via the DoD CSfC program.

Fix: F-20496r2_fix

Ensure computers with embedded wireless NICs that cannot be removed and are not used to transfer, receive, store, or process classified information.