RFID Scanner Security Technical Implementation Guide (STIG)

  • Version/Release: V6R8
  • Published: 2014-03-18
  • Released: 2014-04-25
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This STIG contains the technical security controls for the operation of a RFID Scanner in the DoD environment.
a
If a wireless connection (e.g. WLAN, Bluetooth) is used between the RFID scanner and RFID workstation, security requirements must be followed.
Low - V-14034 - SV-14645r1_rule
RMF Control
Severity
Low
CCI
Version
WIR0500
Vuln IDs
  • V-14034
Rule IDs
  • SV-14645r1_rule
Sensitive data stored on the RFID scanner and transmitted to the workstation could be compromised.Information Assurance OfficerECWN-1
Checks: C-11509r1_chk

Detail Policy Requirements: If a wireless connection (e.g. WLAN, Bluetooth) is used between the RFID scanner and RFID workstation, the following requirements must be followed: - If WLAN is used for the wireless connection, assign “WLAN Client” asset posture in VMS to the workstation (or PDA) asset and complete WLAN checks assigned to the workstation (or PDA). - If Bluetooth or some other wireless technology is used for the wireless connection, assign “Bluetooth” asset posture in VMS to the workstation (or PDA) asset and complete Bluetooth checks assigned to the workstation(or PDA). Check Procedures: Verify that the appropriate VMS wireless posture has been assigned to the RFID workstation (or PDA) asset and the appropriate checks have been completed. Mark as a finding if the requirement has not been met.

Fix: F-13509r1_fix

Comply with the security requirements associated with the technology enabling wireless communication between the RFID scanner and RFID computing infrastructure.

a
Sensitive or Personally Identifiable Information (PII) must not be transferred between an RFID tag and RFID scanner unless the information is encrypted using a FIPS 140-2 validated encryption module.
Low - V-18620 - SV-20178r1_rule
RMF Control
Severity
Low
CCI
Version
WIR0510
Vuln IDs
  • V-18620
Rule IDs
  • SV-20178r1_rule
Sensitive or PII info could be compromised if it is not encrypted because adversaries often can intercept wireless signals transmitted between an RFID interrogator and tag. Using FIPS 140-2 validated encryption modules provides assurance that the implementation of the cryptography is correct. Information Assurance OfficerECWN-1
Checks: C-22302r1_chk

Interview the IAO to verifiy if sensitive or PII data is stored on the RFID tag. If it is not, encryption of data transmitted between the RFID Tag and Scanner is not required. If it is, perform the following: - Verify that the data on the tag is either stored in an encrypted form on the tag (an encryption module used to encrypt the data before it is stored and the module is 140-2 validated), or - Verify the data being transmitted between the tag and scanned is encrypted before it is transmitted to the scanner with a FIPS 140-2 validated encryption module. Mark as a finding if either of these requirements is not met.

Fix: F-34077r1_fix

Procure RFID tags that integrate 140-2 validated encryption modules or congure the RFID system such that data is encrypted with a FIPS 140-2 validated encryption module prior to being written to the tag.

b
PDA and Smartphones that are connected to DoD Windows computers via a USB connection must be compliant with requirements.
Medium - V-18625 - SV-31702r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-PDA-032
Vuln IDs
  • V-18625
Rule IDs
  • SV-31702r1_rule
PDAs with flash memory can introduce malware to a PC when they are connected for provisioning of the PDA or to transfer data between the PC and PDA, particularly if the PDA is seen by the PC as a mass storage device and autorun in enabled. Information Assurance OfficerECWN-1
Checks: C-22309r1_chk

NOTE: This check applies to any handheld mobile device (PDA, non-email Windows Mobile or Palm OS PDA, iPod, bar code scanner, RFID scanner, cell phone, etc.) that is connected to a DoD Windows PC for the purpose of provisioning or transferring data between the PC and mobile device. This check does not apply to BlackBerrys, Windows Mobile smartphones used for email, and SME PEDs. Requirements for these devices are found in the appropriate STIG for the device. These requirements do not apply to: -PDAs that are never connected to Windows PCs. -PDAs connected to stand-alone DoD Windows computers that are not connected to a DoD network. -PCMCIA cards with flash memory used to store user data. For example, many new broadband wireless modems have this capability. (NOTE: encryption of data stored on the flash memory may be required by Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer Memorandum, “Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage,” July 3, 2007.) -PCMCIA cards with non-user addressable ROM flash memory. Detailed Policy Requirements: PDAs and smartphones will not be connected to DoD Windows computers via a USB connection unless the following conditions are met: - The DoD Windows computer utilizes the DoD Host Based Security System (HBSS) with the Device Control Module (DCM). Configuration requirements are found in CTO 10-004A. -Autorun is disabled on the Windows PC. Check Procedures: Interview the IAO and smartphone administrator. Check the following on sample (use 3-4 devices as a random sample) PCs and smartphones: - Verify the site has implemented HBSS with DCM on computers used to connect BlackBerrys. Have the Windows reviewer assist in determining that HBSS with DCM is installed (ususally verified during a Windows Workstation review).. - Verify Autorun is disabled (ususally verified during a Windows Workstation review).

Fix: F-28611r1_fix

Windows PCs used to connect to smartphones will be configured so they are compliant with requirements.

b
Removable memory cards (e.g., MicroSD) must use a FIPS 140-2 validated encryption module to bind the card to a particular device such that the data on the card is not readable on any other device.
Medium - V-18856 - SV-31703r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-PDA-033
Vuln IDs
  • V-18856
Rule IDs
  • SV-31703r1_rule
Memory card used to transfer files between PCs and PDAs is a migration path for the spread of malware on DoD computers and handheld devices. These risks are mitigated by the requirements listed in this check.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-22664r1_chk

Note: Removable flash media is defined as media that is readily accessible by the user and does not require additional tools to disassemble the device or remove screws to gain access. Note: This check applies to any handheld mobile device (PDA, non-email Windows Mobile or Palm OS PDA, bar code scanner, RFID scanner, cell phone, etc.) that is connected to a DoD Windows PC for the purpose of provisioning or transferring data between the PC and mobile device. This check does not apply to BlackBerrys, Windows Mobile smartphones used for email, and SME PEDs. Requirements for these devices are found in the appropriate Checklist for the device. Check Procedures: Interview the IAO to determine if the site uses removable memory cards in site managed handheld PDAs. If Yes, -Determine if FIPS 140-2 data encryption has been implemented on the memory cards. Ask the IAO for FIPS certificate or search for it on the NIST web site. -Determine if the removable data storage media card is bound to the PED such that it may not be read by any other PED or computer. Procedures will vary, depending on system vendor. Ask the IAO for system technical documentation showing this capability and how to configure. -Determine if the security policy on the PDA is configured to deny the use of removable data storage media on site managed PEDs (if this capability is available). Procedures will vary, depending on system vendor. Ask the IAO for system technical documentation showing this capability and how to configure it. -Determine if the site uses a removable data storage memory card to load files on site PDAs for the purpose of provisioning the PDA. If yes, verify the memory card used for provisioning has either been provided by the PDA vendor or loaded with provisioning files from a non-NIPRNet computer. Mark as a finding if the requirements for compliance are not met.

Fix: F-19400r1_fix

Comply with requirement