Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Detailed Policy Requirements: FIPS 140-2 validated encryption modules must be used to encrypt unclassified sensitive data at rest on the wireless device (e.g., laptop, PDA, smartphone). This requirement applies to any wireless device or non-wireless PDA storing sensitive information, as defined by Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer Memorandum, “Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage,” July 3, 2007. This requirement also applies to removable memory cards (e.g., MicroSD) used in the PDA except when the PDA is connected to a Windows PC for the purpose of provisioning or transferring data. Check Procedures: Interview IAO and review documentation. 1. Determine if the wireless device is used to store sensitive data. Data approved for public release is not sensitive. Other unclassified data may also qualify as sensitive. Any device that stores any sensitive data must meet the requirements in this check. 2. Check a sample of wireless laptops, PDAs, smartphones, and other wireless devices used at the site (2-3 of each type). 3. Obtain the product’s FIPS certificate to confirm FIPS 140-2 validation for each model examined. The certificate may be obtained from the product documentation or the NIST web site. 4. Work with the IAO to determine if encryption is enabled on the wireless client device uses AES or 3DES. 5. Verify temp files with sensitive information are also protected with encryption. 6. Mark as a finding if encryption is not used or is not FIPS 140-2 validated.
Employ FIPS 140-2 validated encryption modules for sensitive DoD data at rest.
Detailed Policy Requirements: DoD-licensed anti-malware software must be installed on all wireless clients (e.g., PDAs and smartphones) and non-wireless PDAs and is kept up-to-date with the most recent virus signatures every 14 days or less. Note: This requirement does not apply to any handheld PDA that is not used to connect to the internet or a DoD computer or network. It does not apply to handheld bar-code or RFID scanners that are connected to DoD computers to download scanned data (handheld is used only as a bar-code / RFID scanner). In addition, this requirement does not apply to phones that only have the capability for voice calls only, including wireless VoIP and Unlicensed Mobile Access (UMA) (no data, Internet connections other than for voice calls over wireless VoIP and UMA). Check Procedures: Verify laptop computers, PDAs, and smartphones are protected by anti-virus software. For PDAs and cell phones, inspect a sample of the devices (3 – 4 devices). Verify the software is: o Configured to scan upon startup (once daily) (or at least scan once every week) or the user trained to scan at least once per week. o Configured to automatically update at least every 14 days or the user trained to manually update once every two weeks. o Enabled for Web browser download protection. o If DoD approved antivirus products (e.g. downloaded from the JTF GNO antivirus portal) are not available for the wireless device, sites must select commercial products which are from major vendors with preference given to products tested or already used by other DoD organizations. o The DAA must give written approval of this product. Mark as a finding if any of the following are true: o No antivirus software is installed; update procedures are not configured or used; or the software is not configured IAW the Wireless STIG policy.
The IAO will ensure DoD licensed anti-virus software is installed on all wireless clients (e.g., laptops, PDAs, and cellular telephones) and the software is configured in accordance with the Desktop Application STIG and is kept up-to-date with the most recent virus signatures every 14 days or less.
NOTE: This check applies to any handheld mobile device (PDA, non-email Windows Mobile or Palm OS PDA, iPod, bar code scanner, RFID scanner, cell phone, etc.) that is connected to a DoD Windows PC for the purpose of provisioning or transferring data between the PC and mobile device. This check does not apply to BlackBerrys, Windows Mobile smartphones used for email, and SME PEDs. Requirements for these devices are found in the appropriate STIG for the device. These requirements do not apply to: -PDAs that are never connected to Windows PCs. -PDAs connected to stand-alone DoD Windows computers that are not connected to a DoD network. -PCMCIA cards with flash memory used to store user data. For example, many new broadband wireless modems have this capability. (NOTE: encryption of data stored on the flash memory may be required by Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer Memorandum, “Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage,” July 3, 2007.) -PCMCIA cards with non-user addressable ROM flash memory. Detailed Policy Requirements: PDAs and smartphones will not be connected to DoD Windows computers via a USB connection unless the following conditions are met: - The DoD Windows computer utilizes the DoD Host Based Security System (HBSS) with the Device Control Module (DCM). Configuration requirements are found in CTO 10-004A. -Autorun is disabled on the Windows PC. Check Procedures: Interview the IAO and smartphone administrator. Check the following on sample (use 3-4 devices as a random sample) PCs and smartphones: - Verify the site has implemented HBSS with DCM on computers used to connect BlackBerrys. Have the Windows reviewer assist in determining that HBSS with DCM is installed (ususally verified during a Windows Workstation review).. - Verify Autorun is disabled (ususally verified during a Windows Workstation review).
Windows PCs used to connect to smartphones will be configured so they are compliant with requirements.
Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets and FIPS 140-2 certificate. Verify the devices have a VPN client installed and that it is FIPS 140-2 validated. Mark as a finding if the VPN is not FIPS 140-2 validated.
Comply with requirement.
Note: Removable flash media is defined as media that is readily accessible by the user and does not require additional tools to disassemble the device or remove screws to gain access. Note: This check applies to any handheld mobile device (PDA, non-email Windows Mobile or Palm OS PDA, bar code scanner, RFID scanner, cell phone, etc.) that is connected to a DoD Windows PC for the purpose of provisioning or transferring data between the PC and mobile device. This check does not apply to BlackBerrys, Windows Mobile smartphones used for email, and SME PEDs. Requirements for these devices are found in the appropriate Checklist for the device. Check Procedures: Interview the IAO to determine if the site uses removable memory cards in site managed handheld PDAs. If Yes, -Determine if FIPS 140-2 data encryption has been implemented on the memory cards. Ask the IAO for FIPS certificate or search for it on the NIST web site. -Determine if the removable data storage media card is bound to the PED such that it may not be read by any other PED or computer. Procedures will vary, depending on system vendor. Ask the IAO for system technical documentation showing this capability and how to configure. -Determine if the security policy on the PDA is configured to deny the use of removable data storage media on site managed PEDs (if this capability is available). Procedures will vary, depending on system vendor. Ask the IAO for system technical documentation showing this capability and how to configure it. -Determine if the site uses a removable data storage memory card to load files on site PDAs for the purpose of provisioning the PDA. If yes, verify the memory card used for provisioning has either been provided by the PDA vendor or loaded with provisioning files from a non-NIPRNet computer. Mark as a finding if the requirements for compliance are not met.
Comply with requirement
This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets. Verify the VPN client support AES encryption. Mark as a finding if AES is not supported. Also mark as a finding if no VPN capability is present.
Comply with requirement.
Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Verify the VPN client supports CAC authentication to the DoD network (recommend asking the site wireless device administrator to demo this capability). Mark as a finding if CAC authentication is not supported.
Comply with requirement.
This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Check to see if the VPN has a setting to disable split tunneling. The following test can also be done: 1. Connect to the Internet using the PDA browser. 2. Launch the VPN client and connect to the DoD network. 3. Check to see if the browser is still connected to the Internet. If yes, split tunneling is not disabled. Mark as a finding if split tunneling is not disabled on all PDA VPN clients as the default configuration setting.
Comply with requirement.
Detailed Policy Requirements: PDAs and smartphones must be protected by authenticated login procedures to unlock the device. Either CAC or password authentication is required. Check Procedures: Interview the IAO and system administrator. - Verify that CAC authentication or password authentication is used on site managed PDAs. Verify authentication is required to unlock the PDA on a sample of devices at the site. Inspect 3-4 devices.
Configure the MDM server to require a passcode for device unlock.
Check a sample (3-4 devices) of site PDAs and verify the PDA has been configured to wipe after 10 (or less) incorrect passwords have been entered.
Set password/passcode maximum failed attempts to 10 or less.
Review the mobile operating system configuration to determine if the device enforces a minimum length for the device unlock password. For device unlock on mobile operating systems with no access to sensitive or classified information, the requirement is a minimum of 4 numbers. For access mobile devices with sensitive information, the minimum length is 6. If the mobile device places sensitive information or security functions in “security container” applications only, then a compliant configuration is to require a 6-character or longer password to enter the container application, and a 4-digit or longer password to unlock the device. If the device does not enforce a minimum length for the device unlock password or, where applicable, the security container, this is a finding.
Configure the mobile operating system to enforce a minimum length for the device unlock password. Where a security container application is used in lieu of mobile operating system protections, configure the security container application to enforce a minimum length password for entry into the application.
Detailed Policy Requirements: All PDAs and Smartphones must display the following banner during device unlock/ logon: A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK." You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. B. For Blackberries and other PDAs/PEDs with severe character limitations: I've read & consent to terms in IS user agreem't. Check Procedures: Work with the SA to review the configuration of the PDA security management server or security policy configured on the PDA/smartphone. Review a sample of devices to check that the required banner is being used. Mark as a finding if the required banner is not used. Note: Depending on the system, this setting could be set on the management server on on the handheld device.
Display the required banner during device unlock/logon.