Mobile Policy Security Requirements Guide

U_Mobile_Policy_V1R2_manual-xccdf.xml

The Mobile Policy Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Details

Version / Release: V1R2

Published: 2013-07-03

Updated At: 2018-09-23 05:02:02

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.
    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-47226r1_rule SRG-MPOL-001 CCI-001382 MEDIUM The organization must define the maximum number of consecutive, unsuccessful login attempts to CMDs are permitted. Without proper lockout policies that define the maximum number of consecutive unsuccessful login attempts, unauthorized users could continually attempt to gain access to the mobile device. Allowing an unlimited number of login attempts to a mobile device could result in unauthorized access to data that is stored on the mobile device (e.g., contact lists, emails, calendar events, etc.) and unauthorized use of the mobile device.
    SV-47227r2_rule SRG-MPOL-002 CCI-001435 LOW The organization must comply with DoD ports and protocol guidance within the information system deemed to be non-secure for remote access into DoD networks. Some networking protocols are considered less secure than others (e.g., Bluetooth, peer-to-peer, etc.). In its access control policy and security procedures addressing remote access to the information system, the organization, in order to protect and secure its network, must define those network protocols considered to be non-secure. Failure to define the non-secure network protocols could result in the organization's network being open to access by these non-secure protocols, which could result in unauthorized access to, modification of, or destruction of sensitive or classified data. For mobile systems, several non-secure protocols are used routinely in the commercial world. Many of these must not be allowed on DoD networks and specified.
    SV-47228r1_rule SRG-MPOL-003 CCI-001455 MEDIUM The organization must make a risk-based determination for applications before they are accredited by the DAA prior to distribution or installation on a CMD. CMD applications can be written and published very quickly without a thorough life cycle management process or security assessment. It is critical that all applications that reside on CMDs go through the same rigorous security evaluation as a typical COTS product, so as not to introduce malware or other risks to DoD information and networks. If an application is utilized that has not been approved for use, and a risk based determination has not been made by the appropriate approving authority, DoD has no way of knowing what type of risk the application may pose to DoD information systems or data.
    SV-47229r1_rule SRG-MPOL-004 CCI-001455 LOW The organizations wireless metropolitan area network (WMAN) system accreditation must include a Transmission Security (TRANSEC) vulnerability analysis, if the WMAN system operates in a tactical environment. If a TRANSEC vulnerability analysis has not been completed, the system may not be designed or configured correctly to mitigate exposure of DoD data, or may be vulnerable to a wireless attack. The purpose of the analysis is to determine the jamming and exploitation risk of a WMAN system based on the design of the system If the WMAN system is a tactical system or a commercial system operated in a tactical environment, the site WMAN system accreditation documentation must include a Transmission Security (TRANSEC) vulnerability analysis. The analysis must include a determination on whether the system has a low probability of exploitation (LPE) for the WMAN signal in space, and list recommended risk mitigation actions. NOTE: This check should only be reviewed during the initial system Certification and Accreditation (C&A). This requirement originated in DTM 08-039, "Commercial Wireless Metropolitan Area Network (WMAN) Systems and Technology."
    SV-47235r1_rule SRG-MPOL-005 CCI-001445 MEDIUM The organization must monitor for unauthorized wireless connections to the information system at an organization defined time period. DoD networks are at risk, and DoD data could be compromised if wireless scanning is not conducted to identify unauthorized WLAN clients and access points connected to, or attempting to, connect to the network. DoD components will ensure a Wireless Intrusion detection System (WIDS) is implemented that allows for monitoring of WLAN activity and the detection of WLAN-related policy violations on all unclassified and classified DoD wired and wireless LANs. The WIDS shall be capable of monitoring Wi-Fi transmissions within all DoD LAN environments and detecting nearby unauthorized WLAN devices. WIDS are not required to monitor non-Wi-Fi transmissions.
    SV-47236r1_rule SRG-MPOL-006 CCI-001447 MEDIUM The organization must define a time period for monitoring of unauthorized wireless connections to information systems, including scans for unauthorized wireless access points. Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), Wi-Fi, and Bluetooth. Wireless networks present similar security risks to those of a wired network, and since the open airwaves are the communications medium for wireless technology, an entirely new set of risks are introduced. Implementing wireless computing and networking capabilities in accordance with the organization defined wireless policy, within organization-controlled boundaries, allowing only authorized and qualified personnel to configure wireless services, and conducting periodic scans for unauthorized wireless access points greatly reduces vulnerabilities.
    SV-47237r1_rule SRG-MPOL-007 CCI-001448 MEDIUM The organization must document and take appropriate action if an unauthorized wireless connection is discovered. Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), Wi-Fi, and Bluetooth. Wireless networks present similar security risks to those of a wired network, and since the open airwaves are the communications medium for wireless technology, an entirely new set of risks are introduced. Implementing wireless computing and networking capabilities in accordance with the organization defined wireless policy, within organization-controlled boundaries, allowing only authorized and qualified personnel to configure wireless services, and conducting monitoring and periodic scans for unauthorized wireless access points greatly reduces vulnerabilities.
    SV-47238r1_rule SRG-MPOL-008 CCI-001563 MEDIUM The organization must define the appropriate action(s) to be taken if an unauthorized wireless connection is discovered. Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), Wi-Fi, and Bluetooth. Wireless networks present similar security risks to those of a wired network, and since the open airwaves are the communications medium for wireless technology, an entirely new set of risks are introduced. Implementing wireless computing and networking capabilities in accordance with the organization defined wireless policy, within organization-controlled boundaries, allowing only authorized and qualified personnel to configure wireless services, and conducting monitoring and periodic scans for unauthorized wireless access points greatly reduces vulnerabilities.
    SV-47240r1_rule SRG-MPOL-010 CCI-001438 MEDIUM The organization must establish usage restrictions for wireless access. Wireless security has additional vulnerability because of transmission over an open medium accessible by all, yielding a broader threat profile. Without a methodology for the deployment and usage of wireless devices and access, security of the infrastructure and data cannot be assured. Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), Wi-Fi, and Bluetooth. Wireless networks present similar security risks to those of a wired network, and since the open airwaves are the communications medium for wireless technology, an entirely new set of risks are introduced. Implementing wireless computing and networking capabilities in accordance with the organization defined wireless policy, and allowing only authorized and qualified personnel to configure wireless services, greatly reduces vulnerabilities.
    SV-47244r2_rule SRG-MPOL-009 CCI-001451 MEDIUM The organization must confine Wi-Fi and Bluetooth communications to organization-controlled boundaries. Wireless technologies controlled by this requirement are only Wi-Fi, and Bluetooth. Wireless networks present similar security risks to those of a wired network, and since the open airwaves are the communications medium for wireless technology, an entirely new set of risks are introduced. Implementing wireless computing and networking capabilities in accordance with the organization defined wireless policy, within organization controlled boundaries, greatly reduces vulnerabilities. Note: Not to be used with Class 1 Bluetooth radios.
    SV-47245r1_rule SRG-MPOL-011 CCI-001438 LOW The organization concept of operations (CONOPS) or site security plan must include information that Bluetooth devices use only Class 2 or 3 standard radios. A key security control for DoD Bluetooth devices is to limit the broadcast area of the Bluetooth signal to the personal area of the user (approximately 30 feet or less). Class 1 radios broadcast at a higher power and are more vulnerable than Class 2 or 3 radios. The Class 1 radio signal is broadcast much farther; therefore, an adversary can be much farther away to intercept or monitor the transmission. Class 3 radios – have a range of up to 1 meter or 3 feet. Class 2 radios – most commonly found in mobile devices – have a range of 10 meters or 33 feet. Class 1 radios – used primarily in industrial use cases – have a range of 100 meters or 300 feet.
    SV-47246r1_rule SRG-MPOL-012 CCI-001438 MEDIUM The organization concept of operations (CONOPS) or site security plan must include guidance that signal amplification, antenna configuration, or other techniques must not be modified in Bluetooth radios that could affect signal detection or interception. If Bluetooth radio modifications have been made, security personnel cannot predict potential vulnerabilities of the system due to lack of security analysis of the modified state.
    SV-47248r1_rule SRG-MPOL-014 CCI-001438 LOW The organization must obtain U.S. Forces Command (USFORSCOM) or host nation approval for the use of wireless equipment prior to operation of such equipment outside the United States and Possessions (USP). When using a wireless system outside of the US&P, host nation wireless spectrum regulations must be followed. Otherwise, the system could interfere with, or be disrupted by, host nation communications systems.
    SV-47249r2_rule SRG-MPOL-015 CCI-001438 HIGH The organization must remove the wireless interface on computers with an embedded wireless system before the computer is used to transfer, receive, store, or process classified information. The majority of consumer based laptops have wireless network interface cards (NICs) integrated with the computer's motherboard. Although the system administrator may disable these embedded NICs, the user may purposely or accidentally enable the device. These devices may also inadvertently transmit ambient sound or electronic signals. Therefore, simply disabling the transmit capability is not an adequate solution for computers processing classified information. In addition, embedded wireless cards do not meet DoD security requirements for classified wireless usage.
    SV-47250r1_rule SRG-MPOL-016 CCI-001439 MEDIUM The organization must establish implementation guidance for wireless access. Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), Wi-Fi, and Bluetooth. Wireless networks present similar security risks to those of a wired network, and since the open airwaves are the communications medium for wireless technology, an entirely new set of risks are introduced. Implementing wireless computing and networking capabilities in accordance with the organization defined wireless policy, and allowing only authorized and qualified personnel to configure wireless services, greatly reduces vulnerabilities.
    SV-47251r1_rule SRG-MPOL-017 CCI-001439 HIGH The organization must ensure all wireless systems connected to a DoD network (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) are approved by the approval authority prior to installation and use for processing DoD information. Unauthorized wireless systems expose DoD networks to attack. The DAA and appropriate commanders must be aware of all wireless systems used at the site. DAAs should ensure a risk assessment is conducted for each system, including associated services and peripherals, before approving. The DAA should accept risks only when required to meet mission requirements. The intent of this requirement is to ensure the DAA has approved the use of the wireless system. This approval can be documented in several ways. The most common is the site security plan includes the wireless system and the DAA has signed the site security plan. If the command uses an enterprise wide site security plan including the wireless system being reviewed, and the site security plan applies to the site being reviewed, then the requirement has been met.
    SV-47252r2_rule SRG-MPOL-018 CCI-001439 LOW The organizations wireless policy or wireless remote access policy must include information on locations CMD Wi-Fi access is approved or disapproved. If the policy does not include information on Wi-Fi security controls, it is more likely that the security controls will not be implemented properly. Without appropriate controls, Wi-Fi is vulnerable to a number of security breaches. These breaches could involve the interception of sensitive DoD information and the use of the device to connect to DoD networks.
    SV-47253r1_rule SRG-MPOL-019 CCI-001439 LOW The organization must have a written policy or training materials stating Bluetooth must be disabled on all applicable devices unless they employ FIPS 140-2 validated cryptographic modules for data in transit. Policy and training provide assurance that security requirements will be implemented in practice. Failure to use FIPS 140-2 validated cryptography makes data more vulnerable to security breaches as the data is unencrypted and in clear text.
    SV-47254r1_rule SRG-MPOL-020 CCI-001439 HIGH The organization must maintain a SIPRNet connection approval package with the Classified Connection Approval Office (CCAO) when connecting a Secure WLAN (SWLAN) to SIPRNet. The CCAO approval process provides assurance that the SWLAN use is appropriate and does not introduce unmitigated risks into the SIPRNet.
    SV-47255r1_rule SRG-MPOL-021 CCI-001439 LOW The organization must reasonably size and constrain the Wireless Metropolitan Area Network (WMAN) signals to their intended coverage area. Wireless signals can be intercepted more easily by an adversary than a wired signal due to the nature of the technology. DoD data may be at risk of exposure if the signals are not constrained to an area that is appropriately sized. This requirement originated in DTM 08-039, "Commercial Wireless Metropolitan Area Network (WMAN) Systems and Technology."
    SV-47256r1_rule SRG-MPOL-022 CCI-001439 LOW The organizations WMAN system must not operate in the 3.30-3.65 GHz frequency band. The 3.30-3.65 GHz frequency band WMAN interferes with DoD radar systems. Therefore, this range must be avoided. This requirement originated in DTM 08-039, "Commercial Wireless Metropolitan Area Network (WMAN) Systems and Technology."
    SV-47257r1_rule SRG-MPOL-023 CCI-001439 LOW The Incident Response Plan (IRP) and/or SOP must have the required procedures for reporting the results of WMAN intrusion scans. If scan results are not properly reported and acted on, the site could be vulnerable to wireless attack. This requirement originated in DTM 08-039, "Commercial Wireless Metropolitan Area Network (WMAN) Systems and Technology."
    SV-47258r1_rule SRG-MPOL-024 CCI-001439 MEDIUM The organization must only procure and deploy WPA2-Enterprise certified WLAN equipment and software for wireless systems that connect directly to DoD networks. The Wi-Fi Alliance WPA2-Enterprise certification means the WLAN equipment can support DoD security protocol and encryption requirements, most notably EAP-TLS and AES-CCMP. If the equipment has not been WPA-Enterprise certified, the equipment may not have the required security functionality to adequately protect DoD networks and information.
    SV-47262r1_rule SRG-MPOL-028 CCI-001441 MEDIUM The organization must authorize wireless access to the information system prior to connection. Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), Wi-Fi, and Bluetooth. Wireless networks present similar security risks to those of a wired network, and since the open airwaves are the communications medium for wireless technology, an entirely new set of risks are introduced. Implementing wireless computing and networking capabilities in accordance with the organization defined wireless policy, and allowing only authorized and qualified personnel to configure wireless services, greatly reduces vulnerabilities. For example, wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication.
    SV-47263r1_rule SRG-MPOL-029 CCI-001441 LOW The organization must maintain a list of all DAA-approved wireless and non-wireless devices under their control that store, process, or transmit DoD information. Close tracking of authorized wireless devices will facilitate the search for rogue devices. Sites must maintain precise inventory control over wireless and handheld devices used to store, process, and transmit DoD data as these devices can be easily lost or stolen, leading to possible exposure of DoD data.
    SV-47264r2_rule SRG-MPOL-030 CCI-001441 LOW The organization must include each wireless device connecting to a DoD network in the applicable site security plan or other appropriate DIACAP document. The DAA and site commander must be aware of all approved wireless devices used at the site or DoD data may be exposed to unauthorized individuals. Documentation of the enclave configuration must include all attached systems. If the current configuration cannot be determined, then it is difficult to apply security policies effectively. Security is particularly important for wireless technologies attached to the enclave network because these systems increase the potential for eavesdropping and other unauthorized access to network resources.
    SV-47265r1_rule SRG-MPOL-031 CCI-001441 LOW The organization must have a wireless remote access policy signed by the site DAA, Commander, Director, or other appropriate authority. Wireless clients, DoD data, and the DoD network could be compromised if operational policies for the use of wireless remote access are not documented by the site. A site's Remote Access Policy will be written and signed by the site DAA, Commander, Director, or other appropriate manager(s). The policy should include required security controls for the DoD-owned/operated wireless client (laptop or CMD): - Device unlock password requirements. - Anti-virus application. - Personal firewall. - Client software patches kept up to date - Internet browsing through enterprise Internet gateway. - Device security policy managed by centrally-managed policy manager. - Anti-spyware app (recommended). - Procedures after client is lost, stolen, or other security incident occurs. - Host-based Wireless Intrusion Detection and Prevention System (WIDPS)/monitor WIDPS. - Configuration requirements of wireless client - Home WLAN authentication requirements. - Home WLAN SSID requirements. - Separate WLAN access point required for home WLAN. - 8+-character authentication password required for home WLAN. - Use of third-party Internet portals (kiosks) (approved or not approved). - Use of personally-owned or contractor-owned client devices (approved or not approved). - Implementation of health check of client device before connection is allowed. - Places where remote access is approved (home, hotels, airport, etc.). - Roles and responsibilities: --Which users or groups of users are and are not authorized to use organization's WLANs. --Which parties are authorized and responsible for installing and configuring APs and other WLAN equipment. - WLAN infrastructure security: --Physical security requirements for WLANs and WLAN devices, including limitations on the service areas of WLANs. --Types of information that may and may not be sent over WLANs, including acceptable use guidelines. - WLAN client device security: --The conditions under which WLAN client devices are and are not allowed to be used and operated. --Standard hardware and software configurations that must be implemented on WLAN client devices to ensure the appropriate level of security. --Limitations on how and when WLAN client's device may be used, such as specific locations. - Guidelines on reporting losses of WLAN client devices and reporting WLAN security incidents. - Guidelines for the protection of WLAN client devices to reduce theft.
    SV-47266r1_rule SRG-MPOL-032 CCI-001441 MEDIUM The organization must notify the Certified TEMPEST Technical Authority (CTTA) before a Secure WLAN (SWLAN) becomes operational and connected to the SIPRNet. A TEMPEST review must be completed or classified information may be at risk of exposure.
    SV-47269r1_rule SRG-MPOL-035 CCI-001442 MEDIUM The organization must ensure the network access control solution supports wireless clients and solutions if wireless networking is implemented. Without a secure network access solution implemented, rogue and/or non-policy compliant devices can gain access to the network and its resources.
    SV-47271r1_rule SRG-MPOL-037 CCI-001330 HIGH The organization must have written policy or training material stating CMDs must not be used to receive, transmit, or process classified messages unless specifically approved by NSA for such purposes and NSA-approved transmission and storage methods are used. Wireless devices will not be used for processing classified data unless approved for such use as classified data could be compromised or exposed to unauthorized personnel.
    SV-47272r1_rule SRG-MPOL-038 CCI-001330 MEDIUM The organization must not permit operation of wireless devices in areas where classified information is electronically stored, processed, or transmitted unless operation is in accordance with DAA-approved CTTA restrictions at the site. The operation of electronic equipment and emanations must be controlled in and around areas where sensitive information is kept or processed. Ensure wireless devices are not operated in areas where classified information is electronically stored, processed, or transmitted unless: - Approved by the DAA in consultation with the Certified TEMPEST Technical Authority (CTTA). - The wireless equipment is separated from the classified data equipment at the minimum distance determined by the CTTA, and appropriate countermeasures, as determined by the CTTA, are implemented.
    SV-47274r1_rule SRG-MPOL-040 CCI-001331 HIGH The organization must have a policy forbidding the use of wireless personal area network (PAN) devices, such as near-field communications (NFC), Bluetooth, and ZigBee, to send, receive, store, or process classified information. Classified data could be compromised since wireless PAN devices do not meet DoD encryption requirements for classified data.
    SV-47276r1_rule SRG-MPOL-042 CCI-001332 HIGH The organization must have written policy or training material that states non-enterprise activated CMD are not permitted to connect to DoD networks. Non-enterprise activated CMDs are not authorized to connect to DoD networks or to DoD computers that will be connected to DoD networks, because they do not have required security controls. There is a significant risk of introducing malware on a DoD network if these types of devices are connected to a DoD network.
    SV-47277r1_rule SRG-MPOL-043 CCI-001332 MEDIUM The organization must not permit non-enterprise activated CMDs to process or store DoD sensitive information, including DoD email. Non-enterprise activated CMDs are not authorized to process any information other than non-sensitive because they do not have required security controls to avoid tampering and malicious intent. There is a high risk of introducing malware and exfiltration of information if these types of devices store or process anything other than non-sensitive information.
    SV-47278r1_rule SRG-MPOL-044 CCI-001334 MEDIUM The organization must require that mobile devices used in facilities containing information systems processing, storing, or transmitting classified information, and the information stored on those devices, are subject to random reviews/inspections by organization defined security officials. The organization's access control procedures and security policies establish the requirement to control the use of various mobile devices and connected or imbedded capabilities. These policies and procedures are ineffective if there is no process in place ensuring the policies and procedures are being followed. A process of randomly inspecting or reviewing the various mobile devices, to include connected or imbedded capabilities, can be effective in ensuring compliance with the organization’s mobile device policies and procedures.
    SV-47279r1_rule SRG-MPOL-045 CCI-001334 LOW The organization must periodically conduct manual audits of CMDs to verify the CMD is not running unauthorized software or has otherwise not been modified in an unauthorized manner. The organization's access control procedures and security policies establish the requirement to control the use of various mobile devices and connected or imbedded capabilities. These policies and procedures are ineffective if there is no process in place ensuring the policies and procedures are being followed. A process of randomly inspecting or reviewing the various mobile devices, to include connected or imbedded capabilities, can be effective in ensuring compliance with the organization’s mobile device policies and procedures.
    SV-47280r1_rule SRG-MPOL-046 CCI-001334 LOW The organization, at the mobile device management (MDM) server site, must verify that local sites, where CMDs are provisioned, issued, and managed, are conducting annual self assessments. The security integrity of the CMD system depends on whether local sites, where CMDs are provisioned and issued, are complying with IA requirements. The risk of both malware being introduced on a handheld device, and of avenues of attack into the enclave being introduced via a CMD, are heightened if IA control procedures are not followed.
    SV-47281r1_rule SRG-MPOL-047 CCI-001334 MEDIUM The organization must store and maintain a configuration baseline of each CMD, including application software. An integrity baseline scan must be maintained, so the baseline can be compared to any subsequent scan to identify any anomalies or determine if there are any security vulnerability trends or compromises to the system.
    SV-47282r1_rule SRG-MPOL-048 CCI-001334 LOW The organization must maintain results and mitigation actions, from CMD integrity validation tool scans on site managed mobile devices, for 6 months (one year recommended). Scan results must be maintained, so auditors can verify mitigation actions have been completed, so a scan can be compared to a previous scan, and to determine if there are any security vulnerability trends.
    SV-47283r1_rule SRG-MPOL-049 CCI-001334 LOW The organization must ensure WIDS sensor scan results are saved for at least 6 months (one year recommended). If organizations do not maintain scan logs, it cannot be determined if intrusion detection findings are isolated and harmless events, or a more sustained, methodical attack on the system.
    SV-47284r1_rule SRG-MPOL-050 CCI-001334 LOW The organization must review MDM integrity scan results at least daily. If the organization does not review the integrity tool scans, an attacker may not be noticed by the administrator, and gain control of DoD data or compromise the system.
    SV-47286r1_rule SRG-MPOL-052 CCI-001458 HIGH The organization must follow the incident handling policy if classified information is found on mobile devices. In spite of the best security policies, restrictive controls, and random review procedures, incidents of leakage of classified data to unclassified CMDs are bound to occur. In these instances, the organization must have a set of defined procedures to be implemented when classified data is discovered on CMD. Failure to have incident handling procedures defined could result in confusion in the proper handling of the incident by organization personnel, or, worst case, classified data being disclosed to unauthorized sources. This requirement applies to all CMDs. This requirement also applies to sensitive DoD information stored on CMDs that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO).
    SV-47287r2_rule SRG-MPOL-053 CCI-001458 MEDIUM The organization must establish a standard operating procedure (SOP) for data spills on CMDs. When a data spill occurs on a CMD, classified or sensitive data must be protected to prevent disclosure. After a data spill, the CMD must either be wiped using approved procedures, or destroyed if no procedures are available, so classified or sensitive data is not exposed. If a data spill procedure is not published, the site may not use approved procedures to remediate after a data spill occurs and classified data could be exposed. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). In accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or "data spill" occurs when a classified email or document is inadvertently sent on an unclassified network and received on a wireless email device. Classified information may also be transmitted through some other form of file transfer, to include web browser downloads and files transferred through tethered connections. CMDs are not authorized for processing classified data. The site's Incident Handling and Response procedures should reference National Security Agency/Central Security Service (NSA/CSS) Storage Device Declassification Manual 9-12, Section 5, for CMD destruction procedures.
    SV-47289r1_rule SRG-MPOL-055 CCI-000082 MEDIUM The organization must have a CMD Personal Use Policy that specifies what types of personal files are permitted on the device. Malware can be introduced to a DoD enclave via personally-owned applications and personal website accounts. In addition, sensitive DoD data could be exposed, altered, or exfiltrated by the same malware. The DoD component must publish a Personal Use Policy for DoD component managed or owned CMDs. The policy will provide information on allowed personal use of DoD component mobile devices, including devices approved for connection to DoD networks and processing of sensitive data and for devices not approved for connection to DoD networks and processing of DoD data (for example, non-enterprise activated devices). The policy will be approved by the DAA based on a risk-based assessment. The assessment will consider costs to the Command that could result from additional wireless service charges from personal usage of the device.
    SV-47290r1_rule SRG-MPOL-056 CCI-000082 MEDIUM The organization must have a CMD Personal Use Policy that specifies restrictions on the use of personal email. Malware can be introduced to a DoD enclave via personally owned applications and personal web site accounts. In addition, sensitive DoD data could be exposed, altered, or exfiltrated by the same malware. The DoD component must publish a Personal Use Policy for DoD component managed or owned CMDs. The policy will provide information on allowed personal use of DoD component mobile devices, including devices approved for connection to DoD networks and processing of sensitive data; and for devices not approved for connection to DoD networks and processing of DoD data (for example, non-enterprise activated devices). The policy will be approved by the DAA based on a risk-based assessment. The assessment will consider costs to the Command that could result from additional wireless service charges from personal usage of the device.
    SV-47291r1_rule SRG-MPOL-057 CCI-000082 LOW The organizations CMD Personal Use Policy must be approved by its DAA. Malware can be introduced on a DoD enclave via personally-owned applications and personal website accounts. In addition, sensitive DoD data could be exposed by the same malware. The DoD component must publish a Personal Use Policy for DoD component managed or owned CMDs. The policy will provide information on allowed personal use of DoD component mobile devices, including devices approved for connection to DoD networks and processing of sensitive data and for devices not approved for connection to DoD networks and processing of DoD data (for example, non-enterprise activated devices). The policy will be approved by the DAA based on a risk based assessment. The assessment will consider costs to the Command that could result from additional wireless service charges from personal usage of the device.
    SV-47292r1_rule SRG-MPOL-058 CCI-000082 HIGH The organization must not use DoD-issued software certificates for Non-enterprise activated CMDs. If DoD issued certificates are utilized, the device may be able to connect to sites/systems that are otherwise prohibited without the certificate. Non-enterprise activated CMDs are not authorized to access DoD information. In addition, the certificate store will not be protected with AES encryption or be FIPS validated. DoD PKI certificates would be at risk of being compromised.
    SV-47293r1_rule SRG-MPOL-059 CCI-000082 LOW The organization must explicitly specify in each sites physical security policy whether CMDs, containing cameras, are permitted at that site. CMDs with cameras are easily used to photograph sensitive information and areas if not addressed. Sites must establish, document, and train on how to mitigate this threat.
    SV-47295r1_rule SRG-MPOL-061 CCI-000083 MEDIUM The organization must establish standard operating procedures for provisioning mobile devices. A trusted provisioning process must be the foundation for installation of the mobile operating system and applications on the device during provisioning (whether tethered or over-the-air (OTA)). Provisioning data includes operating system configuration, key material, and other initialization data. It may be sensitive and therefore must be adequately protected. An adversary within the general proximity of the mobile device can eavesdrop on OTA transactions, making them particularly vulnerable to attack if confidentiality protections are not in place. Proper use of cryptography provides strong assurance that provisioning data is protected against confidentiality attacks. It may be possible for an adversary within the general proximity of the mobile device to hijack provisioning sessions and modify data transmitted during the provisioning process.
    SV-47296r1_rule SRG-MPOL-062 CCI-000083 LOW The organization must develop policy which ensures a CMD is wiped prior to issuance to DoD personnel. Malware may be installed on a device at some point between shipping from the factory and delivery to DoD. The malware could result in the compromise of sensitive DoD information or result in the introduction of malware within the DoD network.
    SV-47297r1_rule SRG-MPOL-063 CCI-000083 MEDIUM Develop policy that states CMD software updates must only originate from DoD approved sources. Users must not accept over-the-air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and DoD approved. Unauthorized/unapproved software updates could include malware or cause a degradation of the security posture of the CMD and DoD network infrastructure. All software updates should be reviewed and/or tested by the CMD system administrator and originate from an approved DoD source. Wireless software updates should be pushed from the CMD management server, when this feature is available. Otherwise, the site administrator should verify the non-DoD source of the update has been approved by IT management.
    SV-47298r1_rule SRG-MPOL-064 CCI-000083 MEDIUM The organizations DAA must approve the use of software PKI certificates on enterprise-activated CMDs prior to provisioning CMDs with DoD PKI digital certificates. S/MIME provides the user with the ability to digitally sign and encrypt email messages, to verify the digital signatures on received messages, and to decrypt messages received from others if those messages are encrypted. Digital signatures provide strong cryptographic assurance of the authenticity and integrity of the signed message, including attachments. This capability protects against the insertion of malicious mobile code and social engineering attacks in which an adversary masquerades as a known user, as well as other exploits. Encryption provides confidentiality for sensitive information, which is particularly valuable when messages are sent to or received from users external to DoD messaging infrastructure, as such messages would otherwise travel in the clear over the public Internet. The use of software certificates adds additional risk of compromise to the user's digital certificates and to the DoD PKI infrastructure.
    SV-47299r1_rule SRG-MPOL-065 CCI-000083 MEDIUM The organization must develop policy to restrict CMD Instant Messaging (IM) client applications to connect to only security-compliant, DoD-controlled IM servers. Non-DoD IM servers can be located anywhere in the world and may be under an adversary's control. If a DoD CMD IM client connects to a non-DoD IM server, malware could be installed on the CMD from the server, or sensitive DoD data on the CMD could be transferred to the server. In addition, if malware is installed on the CMD, this could lead to hacker attacks on the DoD enclave the CMD connects to.
    SV-47300r1_rule SRG-MPOL-066 CCI-000083 MEDIUM The organization must obtain approval from the DAA or Command IT Configuration Control Board prior to installing a software application on a mobile device. Core applications are applications included in the CMD operating system. Applications added by the wireless carrier are not considered core applications. A security risk analysis must be performed by the DAA or DAA approval must be obtained prior to a mobile OS application being used. Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). The DAA, DAA-designated Application Configuration Control Board, or other DAA-designated process has the responsibility to approve all third-party applications installed on mobile devices under the purview of the DAA. The application review and approval process must include an evaluation of what OS level permissions are required by the application and how the application shares data and memory space with other applications. The review process must also ensure approved applications do not contain malware or share data stored on the mobile OS device with non-DoD servers.
    SV-47301r1_rule SRG-MPOL-067 CCI-000083 MEDIUM The organization must perform a security risk analysis on a mobile operating system (OS) application by the DAA or DAA-authorized approval authority prior to the application being approved for use. Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). Core applications are applications included in the CMD operating system. Applications added by the wireless carrier are not considered core applications. A security risk analysis must be performed by the DAA or DAA approved approval authority prior to a mobile OS application being approved for use. The DAA, DAA designated Application Configuration Control Board, or other DAA designated process has the responsibility to approve all non-core applications installed on mobile devices under the purview of the DAA. The application review and approval process must include an evaluation of what OS level permissions are required by the application and how the application shares data and memory space with other applications. The review process must also ensure that approved applications do not contain malware or share data stored on the mobile OS device with non-DoD servers.
    SV-47303r1_rule SRG-MPOL-069 CCI-000083 HIGH The organization must develop procedures for ensuring mobile operating systems, mobile applications, and mobile device management agents on managed mobile devices are updated within an organization defined period after the updates/patches are available. Patches and fixes to an operating system (OS) or application are necessary elements in maintaining the security posture of a system. If one system has been compromised or exposed to a potential vulnerability, the entire infrastructure is at risk. Patches and fixes can be critical security flaws that have been identified and, without their application, may pose a significant risk to DoD data.
    SV-47304r1_rule SRG-MPOL-070 CCI-000084 MEDIUM An authorization process must be developed and published that states the process to obtain approval before CMDs can connect to the organizations information system(s). In order to protect their information systems, organizations must have a process in place ensuring mobile devices adhere to implementation guidance, meet published usage restrictions, and are processed through an authorization process prior to connecting to the information system(s). Lacking such a process, organizations will experience an array of unauthorized mobile devices, with a myriad of configuration settings and no usage restrictions, connecting to their information systems. Such an environment would be unmanageable and could result in unauthorized access to, modification of, or destruction of sensitive or classified data.
    SV-47306r1_rule SRG-MPOL-072 CCI-001456 MEDIUM The organization must define locations the organization deems to be of significant risk to DoD information systems, in accordance with organizational policies and procedures. Given the continuous threat level in today's global environment, there are certain locations presenting significant risks to an organization's personnel, equipment, and data. To afford an increased level of awareness and security for its personnel, equipment, and data, an organization must identify those locations representing a higher level of risk. Failure of an organization to identify these locations could result in dangerous situations for its personnel, such as; damaged, stolen or compromised equipment; or unauthorized access to, modification of, or destruction of sensitive or classified data.
    SV-47308r1_rule SRG-MPOL-074 CCI-000089 MEDIUM The organization must apply organization defined inspection and preventative measures to mobile devices returning from locations the organization deems to be of significant risk to DoD information systems. Despite the implementation of viable countermeasures on mobile devices, upon return from a high risk location, each device should be treated as if it has been compromised. The mobile device should be meticulously inspected for the existence of malware or unauthorized access to, or modification, deletion or destruction of data stored on the mobile device. The inspection is intended to isolate the compromise of the mobile device, thereby preventing promulgation to other organization information systems. If a mobile device has been compromised, organization personnel should initiate additional preventive measures to sanitize the mobile device. If sanitization is not possible, the mobile device should be destroyed.
    SV-47309r1_rule SRG-MPOL-075 CCI-000103 MEDIUM The organization must produce a written policy and training material that states CMDs that are classified as non-enterprise activated must not be used to send, receive, store, or process sensitive/FOUO or classified data and information or connect to DoD networks. Some CMDs are not authorized to store or process sensitive DoD data and information because they do not have required security controls to protect the data/information. There is a high risk that sensitive data will be exposed to unauthorized personnel with access to the device. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO).
    SV-47310r1_rule SRG-MPOL-076 CCI-000103 MEDIUM The organization must produce a written policy and training material that states CMDs classified as non-enterprise activated must not access DoD email systems. Some CMDs are not authorized to connect to DoD email systems because they do not have required security controls. There is a high risk of introducing malware on a DoD email system or of compromising sensitive DoD data if these types of devices are connected to a DoD email system. There is a high risk sensitive data will be exposed to unauthorized personnel with access to the device if DoD email was viewed, processed, or stored on the device.
    SV-47311r1_rule SRG-MPOL-077 CCI-000106 LOW The organization must ensure users receive training before they are authorized to access a DoD network with a CMD. Improper use of wireless remote access to a DoD network can compromise both the wireless client and the network, as well as, expose DoD data to unauthorized individuals. Without adequate training, remote access users are more likely to engage in behaviors that make DoD networks and information vulnerable to security exploits. The security personnel and the site wireless device administrator must ensure all wireless remote access users receive training before they are authorized to access a DoD network via a wireless remote access device.
    SV-47312r1_rule SRG-MPOL-078 CCI-001479 LOW The organization must ensure the MDM server administrator receives required training annually. The security posture of the MDM server could be compromised if the administrator is not trained to follow required procedures.
    SV-47313r1_rule SRG-MPOL-079 CCI-001566 MEDIUM The organization must ensure all non-enterprise activated CMD users complete Operational Security (OPSEC) training that provides use guidelines and vulnerability mitigation techniques. Improper use of CMD devices can compromise both the CMD and the network, as well as, expose DoD data to unauthorized individuals. Without adequate OPSEC training, users are more likely to engage in behaviors that make DoD networks and information more vulnerable to security exploits. The security personnel and the site CMD device administrators must ensure non-enterprise activated CMD users receive OPSEC training.
    SV-47314r1_rule SRG-MPOL-080 CCI-000114 LOW The organization must verify each of its CMD users has completed annual CMD user training. Users are the first line of security controls for CMD systems. They must be trained in using CMD security controls or the system could be vulnerable to attack. All CMD users must receive security training on the device before they are issued a CMD. If training is not renewed on an annual basis, users may not be informed of new security procedures or may forget previously trained procedures, which could lead to an exposure of sensitive DoD information.
    SV-47315r1_rule SRG-MPOL-081 CCI-000836 LOW The organization must execute its incident response plan or applicable Standard Operating Procedure (SOP) when a CMD is reported lost or stolen. If procedures for lost or stolen CMDs are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD information systems and data.
    SV-47316r1_rule SRG-MPOL-082 CCI-000843 LOW The organization must include procedures for lost or stolen CMDs in its Incident Response Plan or applicable Standard Operating Procedure (SOP). Sensitive DoD data could be stored in memory on a DoD operated CMDs and the data could be compromised if required actions are not followed when a CMD is lost or stolen. Without procedures for lost or stolen CMD, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA. The site (location where CMDs are issued and managed and the site where the MDM server is located) must publish procedures to follow if a CMD has been lost or stolen.
    SV-47317r1_rule SRG-MPOL-083 CCI-001028 LOW The organization must follow required procedures for the disposal of CMDs. If appropriate procedures are not followed prior to disposal of a CMD, an adversary may be able to obtain sensitive DoD information or learn aspects of the configuration of the device that might facilitate a subsequent attack.
    SV-47318r1_rule SRG-MPOL-084 CCI-000928 MEDIUM The organization must secure all wireless network devices, such as wireless Intrusion Detection System (IDS) and wireless routers, access points, gateways, and controllers to prevent tampering or theft, or must be located in a secure room with limited access. DoD data and the network could be exposed to attack if wireless network devices are not physically protected. The Network Security Officer (NSO) will ensure all wireless network devices (e.g., IDS, routers, servers, Remote Access System (RAS), firewalls, WLAN access points, etc.), wireless management, and email servers are located in a secure room with limited access or otherwise secured to prevent tampering or theft.
    SV-47319r1_rule SRG-MPOL-085 CCI-000928 MEDIUM The organization must ensure physical security controls are implemented for Secure WLAN (SWLAN) access points. If an adversary is able to gain physical access to a SWLAN device, he/she may be able to compromise the device in a variety of ways, some of which could enable the adversary to obtain classified data. Physical security controls greatly mitigate this risk. The following physical security controls must be implemented for SWLAN access points: - Secure WLAN access points shall be physically secured, and methods shall exist to facilitate the detection of tampering. WLAN APs are part of a communications system and shall have controlled physical security, in accordance with DoDD 5200.08-R. SWLAN access points not within a location that provides limited access shall have controlled physical security with either fencing or inspection. - Either physical inventories or electronic inventories shall be conducted daily by viewing or polling the serial number or MAC address. Access points not stored in a COMSEC-approved security container shall be physically inventoried.
    SV-47321r1_rule SRG-MPOL-086 CCI-001531 LOW The organization must not permit personnel to operate CMD without first signing a user agreement IAW DoD CIO Memorandum, Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement, 9 May 2008. Lack of user training and understanding of responsibilities to safeguard wireless technology is a significant vulnerability to the enclave. Once policies are established, users must be trained to these requirements or the risk to the network remains. User agreements are particularly important for mobile and remote users since there is a high risk of loss, theft, or compromise. Thus, this signed agreement is a good best practice to help ensure the site is confirming the user is aware of the risks and proper procedures.