Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

PDA Security Technical Implementation Guide (STIG)

  • Version/Release: V6R8
  • Published: 2014-03-18
  • Released: 2014-04-25
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This STIG contains technical security controls for the operation of a PDA in the DoD environment. In this case, PDA refers to any handheld computing device with or without wireless, except for Commercial Mobile Devices (CMDs) (smartphones or tablet computers).
b
FIPS 140-2 validated encryption modules must be used to encrypt unclassified sensitive data at rest on the wireless device (e.g., laptop, PDA, smartphone).
Medium - V-14202 - SV-14813r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR0190
Vuln IDs
  • V-14202
Rule IDs
  • SV-14813r2_rule
If a wireless device is lost or stolen without DAR encryption, sensitive DoD data could be compromised. Most known security breaches of cryptography result from improper implementation, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance that cryptography is implemented correctly, and is required for Federal Government uses of cryptography in non-classified applications.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-11537r2_chk

Detailed Policy Requirements: FIPS 140-2 validated encryption modules must be used to encrypt unclassified sensitive data at rest on the wireless device (e.g., laptop, PDA, smartphone). This requirement applies to any wireless device or non-wireless PDA storing sensitive information, as defined by Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer Memorandum, “Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage,” July 3, 2007. This requirement also applies to removable memory cards (e.g., MicroSD) used in the PDA except when the PDA is connected to a Windows PC for the purpose of provisioning or transferring data. Check Procedures: Interview IAO and review documentation. 1. Determine if the wireless device is used to store sensitive data. Data approved for public release is not sensitive. Other unclassified data may also qualify as sensitive. Any device that stores any sensitive data must meet the requirements in this check. 2. Check a sample of wireless laptops, PDAs, smartphones, and other wireless devices used at the site (2-3 of each type). 3. Obtain the product’s FIPS certificate to confirm FIPS 140-2 validation for each model examined. The certificate may be obtained from the product documentation or the NIST web site. 4. Work with the IAO to determine if encryption is enabled on the wireless client device uses AES or 3DES. 5. Verify temp files with sensitive information are also protected with encryption. 6. Mark as a finding if encryption is not used or is not FIPS 140-2 validated.

Fix: F-34090r1_fix

Employ FIPS 140-2 validated encryption modules for sensitive DoD data at rest.

b
DoD-licensed anti-malware software will be installed on all wireless clients (e.g., PDAs and smartphones) and non-wireless PDAs.
Medium - V-14275 - SV-31699r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-PDA-039
Vuln IDs
  • V-14275
Rule IDs
  • SV-31699r1_rule
Security risks inherent to wireless technology usage can be minimized with security measures such current anti-virus updates.System AdministratorECWN-1
Checks: C-11769r1_chk

Detailed Policy Requirements: DoD-licensed anti-malware software must be installed on all wireless clients (e.g., PDAs and smartphones) and non-wireless PDAs and is kept up-to-date with the most recent virus signatures every 14 days or less. Note: This requirement does not apply to any handheld PDA that is not used to connect to the internet or a DoD computer or network. It does not apply to handheld bar-code or RFID scanners that are connected to DoD computers to download scanned data (handheld is used only as a bar-code / RFID scanner). In addition, this requirement does not apply to phones that only have the capability for voice calls only, including wireless VoIP and Unlicensed Mobile Access (UMA) (no data, Internet connections other than for voice calls over wireless VoIP and UMA). Check Procedures: Verify laptop computers, PDAs, and smartphones are protected by anti-virus software. For PDAs and cell phones, inspect a sample of the devices (3 – 4 devices). Verify the software is: o Configured to scan upon startup (once daily) (or at least scan once every week) or the user trained to scan at least once per week. o Configured to automatically update at least every 14 days or the user trained to manually update once every two weeks. o Enabled for Web browser download protection. o If DoD approved antivirus products (e.g. downloaded from the JTF GNO antivirus portal) are not available for the wireless device, sites must select commercial products which are from major vendors with preference given to products tested or already used by other DoD organizations. o The DAA must give written approval of this product. Mark as a finding if any of the following are true: o No antivirus software is installed; update procedures are not configured or used; or the software is not configured IAW the Wireless STIG policy.

Fix: F-3427r1_fix

The IAO will ensure DoD licensed anti-virus software is installed on all wireless clients (e.g., laptops, PDAs, and cellular telephones) and the software is configured in accordance with the Desktop Application STIG and is kept up-to-date with the most recent virus signatures every 14 days or less.

b
PDA and Smartphones that are connected to DoD Windows computers via a USB connection must be compliant with requirements.
Medium - V-18625 - SV-31702r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-PDA-032
Vuln IDs
  • V-18625
Rule IDs
  • SV-31702r1_rule
PDAs with flash memory can introduce malware to a PC when they are connected for provisioning of the PDA or to transfer data between the PC and PDA, particularly if the PDA is seen by the PC as a mass storage device and autorun in enabled. Information Assurance OfficerECWN-1
Checks: C-22309r1_chk

NOTE: This check applies to any handheld mobile device (PDA, non-email Windows Mobile or Palm OS PDA, iPod, bar code scanner, RFID scanner, cell phone, etc.) that is connected to a DoD Windows PC for the purpose of provisioning or transferring data between the PC and mobile device. This check does not apply to BlackBerrys, Windows Mobile smartphones used for email, and SME PEDs. Requirements for these devices are found in the appropriate STIG for the device. These requirements do not apply to: -PDAs that are never connected to Windows PCs. -PDAs connected to stand-alone DoD Windows computers that are not connected to a DoD network. -PCMCIA cards with flash memory used to store user data. For example, many new broadband wireless modems have this capability. (NOTE: encryption of data stored on the flash memory may be required by Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer Memorandum, “Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage,” July 3, 2007.) -PCMCIA cards with non-user addressable ROM flash memory. Detailed Policy Requirements: PDAs and smartphones will not be connected to DoD Windows computers via a USB connection unless the following conditions are met: - The DoD Windows computer utilizes the DoD Host Based Security System (HBSS) with the Device Control Module (DCM). Configuration requirements are found in CTO 10-004A. -Autorun is disabled on the Windows PC. Check Procedures: Interview the IAO and smartphone administrator. Check the following on sample (use 3-4 devices as a random sample) PCs and smartphones: - Verify the site has implemented HBSS with DCM on computers used to connect BlackBerrys. Have the Windows reviewer assist in determining that HBSS with DCM is installed (ususally verified during a Windows Workstation review).. - Verify Autorun is disabled (ususally verified during a Windows Workstation review).

Fix: F-28611r1_fix

Windows PCs used to connect to smartphones will be configured so they are compliant with requirements.

b
The VPN client on wireless clients (PDAs, smartphones) used for remote access to DoD networks must be FIPS 140-2 validated.
Medium - V-18627 - SV-40039r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-PDA-034-01
Vuln IDs
  • V-18627
Rule IDs
  • SV-40039r1_rule
DoD data could be compromised if transmitted data is not secured with a compliant VPN. FIPS validation provides a level of assurance that the encryption of the device has been securely implemented.ECWN-1
Checks: C-39052r1_chk

Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets and FIPS 140-2 certificate. Verify the devices have a VPN client installed and that it is FIPS 140-2 validated. Mark as a finding if the VPN is not FIPS 140-2 validated.

Fix: F-20573r6_fix

Comply with requirement.

b
Removable memory cards (e.g., MicroSD) must use a FIPS 140-2 validated encryption module to bind the card to a particular device such that the data on the card is not readable on any other device.
Medium - V-18856 - SV-31703r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-PDA-033
Vuln IDs
  • V-18856
Rule IDs
  • SV-31703r1_rule
Memory card used to transfer files between PCs and PDAs is a migration path for the spread of malware on DoD computers and handheld devices. These risks are mitigated by the requirements listed in this check.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-22664r1_chk

Note: Removable flash media is defined as media that is readily accessible by the user and does not require additional tools to disassemble the device or remove screws to gain access. Note: This check applies to any handheld mobile device (PDA, non-email Windows Mobile or Palm OS PDA, bar code scanner, RFID scanner, cell phone, etc.) that is connected to a DoD Windows PC for the purpose of provisioning or transferring data between the PC and mobile device. This check does not apply to BlackBerrys, Windows Mobile smartphones used for email, and SME PEDs. Requirements for these devices are found in the appropriate Checklist for the device. Check Procedures: Interview the IAO to determine if the site uses removable memory cards in site managed handheld PDAs. If Yes, -Determine if FIPS 140-2 data encryption has been implemented on the memory cards. Ask the IAO for FIPS certificate or search for it on the NIST web site. -Determine if the removable data storage media card is bound to the PED such that it may not be read by any other PED or computer. Procedures will vary, depending on system vendor. Ask the IAO for system technical documentation showing this capability and how to configure. -Determine if the security policy on the PDA is configured to deny the use of removable data storage media on site managed PEDs (if this capability is available). Procedures will vary, depending on system vendor. Ask the IAO for system technical documentation showing this capability and how to configure it. -Determine if the site uses a removable data storage memory card to load files on site PDAs for the purpose of provisioning the PDA. If yes, verify the memory card used for provisioning has either been provided by the PDA vendor or loaded with provisioning files from a non-NIPRNet computer. Mark as a finding if the requirements for compliance are not met.

Fix: F-19400r1_fix

Comply with requirement

b
All wireless PDA clients used for remote access to DoD networks must have a VPN capability that supports AES encryption.
Medium - V-19897 - SV-31705r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-PDA-034-02
Vuln IDs
  • V-19897
Rule IDs
  • SV-31705r1_rule
DoD data could be compromised if transmitted data is not secured with a compliant VPN.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-25507r1_chk

This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets. Verify the VPN client support AES encryption. Mark as a finding if AES is not supported. Also mark as a finding if no VPN capability is present.

Fix: F-20573r6_fix

Comply with requirement.

b
All wireless PDA clients used for remote access to a DoD network must have a VPN capability that supports CAC authentication.
Medium - V-19898 - SV-31706r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-PDA-034-03
Vuln IDs
  • V-19898
Rule IDs
  • SV-31706r1_rule
If an adversary can bypass a VPN’s authentication controls, then the adversary can compromise DoD data transmitted over the VPN and conduct further attacks on DoD networks. CAC authentication greatly mitigates this risk by providing strong two-factor authentication.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-25512r1_chk

Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Verify the VPN client supports CAC authentication to the DoD network (recommend asking the site wireless device administrator to demo this capability). Mark as a finding if CAC authentication is not supported.

Fix: F-20573r6_fix

Comply with requirement.

b
Wireless PDA VPNs must operate with split tunneling disabled.
Medium - V-19899 - SV-31708r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-PDA-034-04
Vuln IDs
  • V-19899
Rule IDs
  • SV-31708r1_rule
DoD data could be compromised if transmitted data is not secured with a compliant VPN.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-25520r1_chk

This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Check to see if the VPN has a setting to disable split tunneling. The following test can also be done: 1. Connect to the Internet using the PDA browser. 2. Launch the VPN client and connect to the DoD network. 3. Check to see if the browser is still connected to the Internet. If yes, split tunneling is not disabled. Mark as a finding if split tunneling is not disabled on all PDA VPN clients as the default configuration setting.

Fix: F-20573r6_fix

Comply with requirement.

c
The PDA/smartphone must be configured to require a passcode for device unlock.
High - V-25007 - SV-31260r1_rule
RMF Control
Severity
High
CCI
Version
WIR-MOS-PDA-010
Vuln IDs
  • V-25007
Rule IDs
  • SV-31260r1_rule
Sensitive DoD data could be compromised if a device unlock passcode is not set up on a DoD PDA/smartphone. These devices are particularly vulnerable because they are exposed to many potential adversaries when they taken outside of the physical security perimeter of DoD facilities, and because they are easily concealed if stolen.System AdministratorECWN-1, IAIA-1
Checks: C-31668r1_chk

Detailed Policy Requirements: PDAs and smartphones must be protected by authenticated login procedures to unlock the device. Either CAC or password authentication is required. Check Procedures: Interview the IAO and system administrator. - Verify that CAC authentication or password authentication is used on site managed PDAs. Verify authentication is required to unlock the PDA on a sample of devices at the site. Inspect 3-4 devices.

Fix: F-27657r3_fix

Configure the MDM server to require a passcode for device unlock.

b
Password/passcode maximum failed attempts must be set to the required value.
Medium - V-25011 - SV-31264r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-PDA-017
Vuln IDs
  • V-25011
Rule IDs
  • SV-31264r1_rule
A hacker with unlimited attempts can determine the passcode of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the PDA/smartphone and disclosure of sensitive DoD data.System AdministratorIAIA-1
Checks: C-31672r1_chk

Check a sample (3-4 devices) of site PDAs and verify the PDA has been configured to wipe after 10 (or less) incorrect passwords have been entered.

Fix: F-27662r2_fix

Set password/passcode maximum failed attempts to 10 or less.

b
The device minimum password/passcode length must be set as required.
Medium - V-25016 - SV-32705r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-PDA-011
Vuln IDs
  • V-25016
Rule IDs
  • SV-32705r2_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space.System AdministratorECWN-1, IAIA-1
Checks: C-32926r5_chk

Review the mobile operating system configuration to determine if the device enforces a minimum length for the device unlock password. For device unlock on mobile operating systems with no access to sensitive or classified information, the requirement is a minimum of 4 numbers. For access mobile devices with sensitive information, the minimum length is 6. If the mobile device places sensitive information or security functions in “security container” applications only, then a compliant configuration is to require a 6-character or longer password to enter the container application, and a 4-digit or longer password to unlock the device. If the device does not enforce a minimum length for the device unlock password or, where applicable, the security container, this is a finding.

Fix: F-27687r5_fix

Configure the mobile operating system to enforce a minimum length for the device unlock password. Where a security container application is used in lieu of mobile operating system protections, configure the security container application to enforce a minimum length password for entry into the application.

b
PDAs/smartphones must display the required banner during device unlock/ logon.
Medium - V-25022 - SV-31259r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-PDA-007
Vuln IDs
  • V-25022
Rule IDs
  • SV-31259r1_rule
DoD CIO memo requires all PDAs, BlackBerrys, and smartphones to have a consent banner displayed during logon/device unlock to ensure users understand their responsibilities to safeguard DoD data. When users understand their responsibilities, they are less likely to engage in behaviors that could compromise of DoD information systems.System AdministratorECWM-1
Checks: C-14398r1_chk

Detailed Policy Requirements: All PDAs and Smartphones must display the following banner during device unlock/ logon: A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK." You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. B. For Blackberries and other PDAs/PEDs with severe character limitations: I've read & consent to terms in IS user agreem't. Check Procedures: Work with the SA to review the configuration of the PDA security management server or security policy configured on the PDA/smartphone. Review a sample of devices to check that the required banner is being used. Mark as a finding if the required banner is not used. Note: Depending on the system, this setting could be set on the management server on on the handheld device.

Fix: F-27693r1_fix

Display the required banner during device unlock/logon.