Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Smartphone Policy Security Technical Implementation Guide

  • Version/Release: V1R6
  • Published: 2011-11-28
  • Released: 2011-11-23
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This STIG contains the policy, training, and operating procedure security controls for the use of smartphones in the DoD environment.
a
Site physical security policy must include a statement if PDAs and smartphones with digital cameras (still and video) are allowed in the facility.
Low - V-24953 - SV-30690r5_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-001
Vuln IDs
  • V-24953
Rule IDs
  • SV-30690r5_rule
Mobile devices with cameras are easily used to photograph sensitive information and areas if not addressed. Sites must establish, document, and train on how to mitigate this threat. Information Assurance OfficerECWN-1
Checks: C-31111r3_chk

This requirement applies to mobile operating system (OS) smartphones and tablets. Work with traditional reviewer to review site’s physical security policy. Verify the site addresses PDAs and smartphones with embedded cameras. - Mark this as a finding if there is no written physical security policy outlining whether wireless phones with cameras are permitted or prohibited on or in this DoD facility.

Fix: F-27579r2_fix

Update the security documentation to include a statement if PDAs and smartphones with digital cameras (still and video) are allowed in the facility.

c
The site physical security policy must state digital cameras (still and video) must not be allowed in any SCIF or other areas where classified documents or information is stored, transmitted, or processed.
High - V-24954 - SV-30691r4_rule
RMF Control
Severity
High
CCI
Version
WIR-SPP-002
Vuln IDs
  • V-24954
Rule IDs
  • SV-30691r4_rule
PDAs and cell phones with embedded cameras can be used to photograph classified material and can be easily concealed. Classified information could be compromised. Photos may also be taken of the areas that would facilitate a subsequent physical security breach.Information Assurance OfficerECWN-1
Checks: C-31113r4_chk

Note: This requirement also applies to handheld barcode scanners equipped with imagers, unless the manufacturer certifies the raw image is only used for bar code processing and is not available to any other application. Work with the traditional reviewer to interview the Security Manager. Obtain the following information: 1. Review site’s physical security policy. 2. Verify users are informed of this policy by reviewing user agreements, posted signs, or training material. 3. Powering off, removal of batteries, or blocking Infrared (IR) ports is not acceptable for disabling camera functionality, as these methods have not been tested for efficacy. 4. Mark as a finding if a written policy does not prohibit these devices in classified areas. Note: For smartphone systems, the site should consider disabling smartphone cameras via a smartphone security policy.

Fix: F-27581r1_fix

Update site physical security policy. Train users on policy.

b
A data spill (Classified Message Incident (CMI)) procedure or policy must be published for site smartphones.
Medium - V-24955 - SV-30692r6_rule
RMF Control
Severity
Medium
CCI
Version
WIR-SPP-003-01
Vuln IDs
  • V-24955
Rule IDs
  • SV-30692r6_rule
When a data spill occurs on a smartphone, classified or sensitive data must be protected to prevent disclosure. After a data spill, the smartphone must either be wiped using approved procedures, or destroyed if no procedures are available, so classified or sensitive data is not exposed.Information Assurance OfficerVIIR-1, VIIR-2
Checks: C-31114r5_chk

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) smartphones and tablets. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). In accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or “data spill” occurs when a classified email is inadvertently sent on an unclassified network and received on a wireless email device. Classified information may also be transmitted through some other form of file transfer to include web browser downloads and files transferred through tethered connections. Smartphones are not authorized for processing classified data. A data spill also occurs if a classified document is attached to an otherwise unclassified email. For this case, on a smartphone, a data spill will only occur if the classified attached document is viewed or opened by the smartphone user since the smartphone system only downloads an attachment on the smartphone if the user views or opens the attachment. The site's Incident Handling and Response procedures should reference NSA/CSS Storage Device Declassification Manual 9-12, Section 5, for smartphone destruction procedures. Check Procedures: Interview the IAO. Verify classified incident handling, response, and reporting procedures are documented in site smartphone procedures or security policies. Mark as a finding if classified incident handling, response, and reporting procedures are not documented in site smartphone procedures or security policies. This requirement applies at both sites where smartphones are issued and managed and at sites where the smartphone management server is located. ---At the smartphone management server site, verify Incident Handling and Response procedures include actions to sanitize the smartphone management server and email servers (e.g., Exchange, Oracle mail). ---At smartphone sites, verify Incident Handling and Response procedures include actions for incident reporting and actions to safeguard classified smartphone devices. The following actions will be followed for all smartphones involved in a data spill: -BlackBerry smartphones: follow procedures in the DoD Data Spill Procedures Guide for BlackBerry Smartphones located at http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html. -Windows Mobile, Android, and iOS smartphones: the smartphone will be destroyed. Mark as a finding if Incident Handling and Response procedures do not include required information.

Fix: F-27582r1_fix

A Classified Message Incident (CMI) procedure or policy must be published for the site.

c
If a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site must follow required data spill procedures.
High - V-24957 - SV-30694r6_rule
RMF Control
Severity
High
CCI
Version
WIR-SPP-003-02
Vuln IDs
  • V-24957
Rule IDs
  • SV-30694r6_rule
If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel.System AdministratorVIIR-1, VIIR-2
Checks: C-31115r5_chk

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) smartphones and tablets. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). If a data spill occurs on a smartphone, the following actions must be completed: - The smartphone management server and email servers (i.e., Exchange, Oracle mail, etc.) are handled as classified systems until they are sanitized according to appropriate procedures. (See NSA/CSS Storage Device Declassification Manual 9-12 for sanitization procedures.) - The smartphone is handled as a classified device and destroyed according to DoD guidance for destroying classified equipment or sanitized as directed in Check WIR-SPP-003-01. Check Procedures: Interview the IAO. Determine if the site has had a data spill within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. Mark as a finding if the site had a data spill within the previous 24 months and required procedures were not followed.

Fix: F-27583r1_fix

If a data spill occurs on a wireless email device or system at a site, the site must follow required procedures.

a
Required procedures must be followed for the disposal of smartphones.
Low - V-24958 - SV-30695r5_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-004
Vuln IDs
  • V-24958
Rule IDs
  • SV-30695r5_rule
If appropriate procedures are not followed prior to disposal of a smartphone, an adversary may be able to obtain sensitive DoD information or learn aspects of the configuration of the device that might facilitate a subsequent attack.System AdministratorECSC-1, PECS-1
Checks: C-31118r4_chk

This requirement applies to mobile operating system (OS) smartphones and tablets. Prior to disposing of a smartphone (for example, if the smartphone is transferred to another DoD or government agency), follow the disposal procedures found in the STIG/ISCG Technology Overview document of the STIG/ISCG for the smartphone of interest. For example, look in the BlackBerry Overview document in the BlackBerry STIG for the disposal procedures for a BlackBerry smartphone or the Windows Mobile Overview in the Good Mobile Messaging STIG for the disposal procedures for a Windows Mobile smartphone. Interview the IAO. Verify proper procedures are being followed and the procedures are documented. Check to see how retired, discarded, or transitioned smartphones were disposed of during the previous 6 – 12 months and verify compliance with requirements. Note: The site can find disposal procedures listed in the smartphone STIG/ISCG. Mark as a finding if procedures are not documented, or if documented, they were not followed.

Fix: F-27586r3_fix

Prior to disposing of a smartphone or transitioning it to another user, either in DoD or another agency, follow required procedures.

c
Smartphone devices and systems must not be used to send, receive, store, or process classified messages.
High - V-24960 - SV-30697r4_rule
RMF Control
Severity
High
CCI
Version
WIR-SPP-005
Vuln IDs
  • V-24960
Rule IDs
  • SV-30697r4_rule
DoDD 8100.2 states wireless devices will not be used for classified data unless approved for such use. Classified data could be exposed to unauthorized personnel.Information Assurance OfficerECWN-1
Checks: C-31119r3_chk

This requirement applies to mobile operating system (OS) smartphones and tablets. This requirement does not apply to the SME PED as it is the only smartphone approved for classified data use. Interview the IAO. Verify written policy and training material exists (or requirement is listed on a signed user agreement) stating smartphones must not be used to transmit classified information. Mark as a finding if written policy or training material does not exist, stating smartphones must not be used to transmit classified information.

Fix: F-27587r1_fix

Do not process, send, receive, or use classified data on smartphones.

a
Smartphone users must complete required training.
Low - V-24961 - SV-30698r7_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-006-01
Vuln IDs
  • V-24961
Rule IDs
  • SV-30698r7_rule
Users are the first line of security controls for smartphone systems. They must be trained in using smartphone security controls or the system could be vulnerable to attack.System AdministratorPETN-1
Checks: C-31120r5_chk

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) smartphones and tablets. All smartphone users must receive required training on the following topics before they are issued a smartphone. a. Requirement that personally-owned PEDs are not used to transmit, receive, store, or process DoD information unless approved by the DAA and the owner signs forfeiture agreement in case of a security incident. b. Procedures for wireless device usage in and around classified processing areas. c. Requirement that PEDs with digital cameras (still and video) are not allowed in any SCIF or other areas where classified documents or information is stored, transmitted, or processed. d. Procedures for a data spill. e. Requirement that wireless email devices and systems are not used to send, receive, store, or process classified messages. f. Requirement that smartphone devices and systems will not be connected to classified DoD networks or information systems. g. Requirement that a user immediately notify appropriate site contacts (i.e., IAO, smartphone management server administrator, supervisor, etc.) when his/her smartphone has been lost or stolen. h. Secure Bluetooth Smart Card Reader (SCR) usage: --Secure pairing procedures. --Perform secure pairing immediately after the SCR is reset. --Accept only Bluetooth connection requests from devices they control. --Monitor Bluetooth connection requests and activity in order to detect possible attacks and unauthorized activity. i. Procedures on how to sign and encrypt email. j. If Short Message Service (SMS) and/or Multi-media Messaging Service (MMS) are used, IA awareness training material should include SMS/MMS security issues. k. Requirement that Over-The-Air (OTA) wireless software updates should only come from DoD sources. Software updates from the wireless carrier or other non-DoD sources will not be used until the download has been tested and approved by the IAO. l. When smartphone Wi-Fi Service is used, the following training will be completed: --Procedures for setting up a secure Wi-Fi connection and verifying that the active connection is to a known access point. --Approved connection options (i.e., enterprise, home, etc.). --Requirements for home Wi-Fi connections. --The Wi-Fi radio will be disabled by the user whenever a Wi-Fi connection is not being used.--The Wi-Fi radio must never be enabled while the smartphone is connected to a PC. m. Do not discuss sensitive or classified information on non-secure (devices not FIPS 140-2 certified or NSA Type-1 certified for voice) cellular phones, cordless phones, and two-way radios used for voice communications. n. Do not connect PDAs and smartphones to any workstation that stores, processes, or transmits classified data. (Exception: SME PED) o. Manually download updates to antivirus and personal firewall application at least every 14 days if automatic updating is not available. (Applies only if specific PDA/smartphone device has an antivirus/personal firewall application(s).) p. The installation of user owned applications, including geo-location aware applications, on the mobile device will be based on the Command’s Mobile Device Personal Use Policy. q. The use of the mobile OS device to view and/or download personal email will be based the Command’s Mobile Device Personal Use Policy. r. The download of user owned data (music files, picture files, etc.) on the mobile device will be based the Command’s Mobile Device Personal Use Policy. s. The use of the mobile device to connect to user social media web accounts will be based the Command’s Mobile Device Personal Use Policy. t. When the Bluetooth radio is authorized for use with an approved smartcard reader or handsfree headset, the user will disable the Bluetooth radio whenever a Bluetooth connection is not being used. Additional BlackBerry requirements: a. Procedures for conducting an AutoBerry scan, requirements for reporting the results of the scan to site IAO or BlackBerry Administrator, and to completion of mitigation actions recommended by the tool after the scan. b. If the use of the BlackBerry Keeper is approved by the DAA, users are trained on password configuration and change requirements. --Passwords must be changed at least every 90 days. c. When SCR is used with a PC, users with PC administrative rights will not disable the RIM Bluetooth Lockdown tool on the PC. d. Procedures on how to verify and/or set the Bluetooth SCR device property, Trusted field, to be set to “Prompt.”. This is the default value. This property is set on the BlackBerry device in the Bluetooth Device Properties immediately after the Bluetooth pairing connection alert. e. When using an approved Bluetooth headset or handsfree device the following procedures will be followed: -The user will pair only an approved device to the BlackBerry handheld. -If the user receives a request for Bluetooth pairing on their BlackBerry handheld from a Bluetooth device other than their smart card reader (CAC reader) or headset, the request will not be accepted by the user. -Pairing of a Bluetooth headset with the BlackBerry handheld will be completed in a non-public area whenever possible. Additional iPhone/iPad/iPod Touch requirements: a. Procedure on how to disable the device Bluetooth radio. The Bluetooth radio must be disabled at all times. (Some iPhone security systems will alert the system administrator and IAO if the user has turned on the Bluetooth radio.) b. Procedure on how to disable the device Wi-Fi radio. The Wi-Fi radio will only be used when authorized. (Some iPhone security systems will alert the system administrator and IAO if the user has turned on the Wi-Fi radio.) c. If a user connects their device to a PC with iTunes, the user may receive a prompt asking if they want to install an available update of Apple iOS. The user should always refuse the update. Apple iOS updates will always be completed by the site system administrator. d. Procedure on how to disable Location Services on the device. Location Services must be disabled for all applications or enabled only for applications approved by the DAA for location based services. e. Procedure to disable "Ask to Join Networks" Wi-Fi feature. This feature must be disabled at all times. f. Procedure to disable "AutoFill" in the Safari web browser. This feature must be disabled at all times. g. The iOS device should sync to a minimum number of approved machines, should not sync to laptops that travel with the device, and should always use encrypted backups. The act of connecting an iOS device to a PC can put it at risk of attack if the PC is compromised. h. Procedure on how to enable/disable the device Personal Hotspot service and connect only via USB connections. Personal Hotspot or Tethered Modem services will only be used with IAO approval. Wi-Fi or Bluetooth connections to the Personal Hotspot are not authorized. Additional Android requirements: a. Procedure on how to disable the device Bluetooth radio. The Bluetooth radio will only be used when needed when a connection to the Bluetooth CAC reader is required. When not using the CAC reader, the radio will be disabled. b. Procedure on how to disable the device Wi-Fi radio. The Wi-Fi radio will only be used when authorized. c. Procedure on how to disable Location Services on the device. Location Services must be disabled for all applications or enabled only for applications approved by the DAA for location based services. d. Procedure on how to enable/disable the device Personal Hotspot service. Wi-Fi or Bluetooth connection to a personal Hotspot is not authorized. Additional training requirements for mobile device not authorized to connect to a DoD network or store/process sensitive DoD information (Non-enterprise activated). a. Mobile Device (Non-Enterprise Activated) must not be connected to a DoD wired or wireless network. Allowed exception: the device can be connected to a DoD managed Internet-Gateway-only connected Wi-Fi access point (AP). b. Mobile Device (Non-Enterprise Activated) must not have sensitive or classified data stored or processed on the device. c. Mobile Device (Non-Enterprise Activated) must not be used to connect to a DoD email system. d. The user will read and be familiar with the local site and/or Command must publish a Personal Use Policy for site/Command managed or owned mobile devices (smartphones and tablets). Note: Listing training requirements in the User Agreement is an acceptable procedure for informing/training users on many of the required training topics. Check Procedures: - Review site smartphone training material to see if it contains the required content. Note: Some training content may be listed in the User Agreement signed by the user. - Verify site training records show that smartphone users received required training and training occurred before the user was issued a smartphone or tablet. Check training records for approximately five users, picked at random. Mark as a finding if training material does not contain required content.

Fix: F-27591r1_fix

All smartphone users will complete required training.

a
The site Incident Response Plan or other procedure must include procedures to follow when a smartphone is reported lost or stolen.
Low - V-24962 - SV-30699r5_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-007-01
Vuln IDs
  • V-24962
Rule IDs
  • SV-30699r5_rule
Sensitive DoD data could be stored in memory on a DoD operated smartphone and the data could be compromised if required actions are not followed when a smartphone is lost or stolen. Without procedures for lost or stolen smartphones, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.Information Assurance OfficerECSC-1, VIIR-1, VIIR-2
Checks: C-31122r4_chk

Detailed Policy Requirements: This requirement applies to mobile operating system (OS) smartphones and tablets. The site (location where smartphones are issued and managed and the site where the smartphone management server is located) must publish procedures to follow if a smartphone has been lost or stolen. The procedures should include (as appropriate): -Smartphone user notifies IAO, SM, and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. -The IAO notifies the smartphone management server system administrator and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. The site smartphone management server administrator sends a wipe command to the smartphone and then disables the user account on the management server or removes the smartphone from the user account. Check procedures: Interview the IAO. Review the site’s Incident Response Plan or other policies and determine if the site has a written plan of action. Mark as a finding if the site does not have a written plan of action following a lost or stolen smartphone.

Fix: F-27603r1_fix

Publish procedures to follow if a smartphone is lost or stolen.

a
Smartphone SA must perform a Wipe command on all new or reissued smartphones and a STIG or ISCG-compliant IT policy will be pushed to the device before issuing it to DoD personnel.
Low - V-24963 - SV-30700r3_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-008-01
Vuln IDs
  • V-24963
Rule IDs
  • SV-30700r3_rule
Malware can be installed on the device at some point between shipping from the factory and delivery to DoD. The malware could result in the compromise of sensitive DoD information or result in the introduction of malware within the DoD network.System AdministratorECWN-1
Checks: C-31126r3_chk

Detailed Policy Requirements: The smartphone system administrator must perform a Wipe command on all new or reissued smartphones and reload system software and load a STIG or ISCG-compliant security policy on the smartphone before issuing it to DoD personnel and placing the device on a DoD network. When wireless activation is performed, the activation password is passed to the user in a secure manner (e.g., activation password is encrypted and emailed to an individual). Check Procedures: Interview the IAO. Verify required procedures are followed. Mark as a finding if required procedures were not followed.

Fix: F-27597r2_fix

Smartphone system administrator must perform a Wipe command on all new or reissued smartphones.

a
Smartphone software updates must only originate from DoD sources.
Low - V-24964 - SV-30701r4_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-008-02
Vuln IDs
  • V-24964
Rule IDs
  • SV-30701r4_rule
Users must not accept Over-The-Air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and approved by the IAO. Unauthorized/unapproved software updates could include malware or cause a degradation of the security posture of the smartphone and DoD network infrastructure. All software updates should be reviewed and/or tested by the smartphone system administrator and originate from a DoD source or DoD-approved source. Wireless software updates should be pushed from the smartphone management server, when this feature is available.System AdministratorECWN-1
Checks: C-31127r4_chk

Detailed Policy Requirements: Software updates must come from either DoD sources or DoD approved sources. Smartphone system administrators should push OTA software updates from the smartphone management server, when this feature is available. Otherwise the site administrator should verify the non-DoD source of the update has been approved by IT management. Check Procedures: Interview the IAO and smartphone management server system administrator. -Verify the site smartphone handheld administrator and the smartphone management server administrator are aware of the requirement. -Determine what procedures are used at the site for installing software updates on site-managed smartphones. Mark as a finding if the site does not have procedures in place so users can down-load software updates from a DoD source or DoD approved source.

Fix: F-27598r3_fix

Ensure smartphone software updates originate from DoD sources or approved non-DoD sources only. Users do not accept Over-The-Air (OTA) wireless software updates from non-approved sources.

b
Smartphone Instant Messaging (IM) client application must connect only to a DoD controlled IM server compliant with the Instant Messaging STIG.
Medium - V-24965 - SV-30702r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR-SPP-009
Vuln IDs
  • V-24965
Rule IDs
  • SV-30702r3_rule
Non-DoD IM servers can be located anywhere in the world and may be under an adversary’s control. If a DoD smartphone IM client connects to a non-DoD IM server, malware could be installed on the smartphone from the server or sensitive DoD data on the smartphone could be transferred to the server. In addition, if malware is installed on the smartphone, this could lead to hacker attacks on the DoD enclave the smartphone connects to. System AdministratorECSC-1
Checks: C-31129r3_chk

Interview the IAO or smartphone system administrator and determine if smartphone IM is used on site-managed smartphones. If yes, determine what server the smartphone IM system connects to. - The server should be managed by a DoD site. - The IM system must be compliant with the Instant Messaging STIG. Mark as a finding if the IM server the smartphone IM app connects to is not managed by a DoD site.

Fix: F-27600r2_fix

Apply the Instant Messaging (IM) STIG requirements for the IM application on smartphones.

a
The site wireless policy or wireless remote access policy must include information on required smartphone Wi-Fi security controls.
Low - V-24966 - SV-30703r4_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-010
Vuln IDs
  • V-24966
Rule IDs
  • SV-30703r4_rule
If the policy does not include information on Wi-Fi security controls, then it is more likely that the security controls will not be implemented properly. Wi-Fi is vulnerable to a number of security breaches without appropriate controls. These breaches could involve the interception of sensitive DoD information and the use of the device to connect to DoD networks. System AdministratorECWN-1
Checks: C-31130r4_chk

Detailed Policy Requirements: -The site wireless security policy or wireless remote access policy shall include information on locations where smartphone Wi-Fi access is approved or disapproved. The following locations will be specifically listed in the policy: -Site-managed Wi-Fi access point connected to the NIPRNet (Enclave-NIPRNet Connected) -Site-managed Wi-Fi access point connected to the Internet only (Internet Gateway Only Connection) -Public Wi-Fi Hotspot -Hotel Wi-Fi Hotspot -Home Wi-Fi network (user managed) Note: DoD smartphones will not be used to connect to Public or Hotel Hotspots. Note: Apple iOS devices (iPhone, iPad, and iPod touch) will not be used to connect to site-managed Wi-Fi access points connected to the NIPRNet (Enclave-NIPRNet Connected). Check Procedures: Interview the IAO. Review the site policy. Verify it contains the required information. Mark as a finding if site policy does not contain the required information.

Fix: F-27601r2_fix

Smartphone Wi-Fi security policy includes required content.

a
Smartphones must be provisioned DoD PKI digital certificates so users can digitally sign and encrypt e-mail notifications or other email messages required by DoD policy. DAA approval will be obtained prior to the use of software PKI certificates on smartphones.
Low - V-24968 - SV-30705r4_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-011
Vuln IDs
  • V-24968
Rule IDs
  • SV-30705r4_rule
S/MIME provides the user with the ability to digitally sign and encrypt e-mail messages, to verify the digital signatures on received messages, and to decrypt messages received from others if those messages are encrypted. Digital signatures provide strong cryptographic assurance of the authenticity and integrity of the signed message, including attachments. This capability protects against the insertion of malicious mobile code and social engineering attacks in which an adversary masquerades as a known user, as well as other exploits. Encryption provides confidentiality for sensitive information, which is particularly valuable when messages are sent to or received from users external to DoD messaging infrastructure as such messages would otherwise travel in the clear over the public Internet. The use of software certificates adds additional risk of compromise to the user's digital certificates and to the DoD PKI infrastructure.Information Assurance OfficerECSC-1
Checks: C-31132r3_chk

The DAA may approve the use of software certificates until approved CAC readers are available and can be purchased and fielded by the site. If user software certificates are used on site managed smartphones instead of the CAC, verify the DAA has approved their use (in a letter, memo, SSP, etc.) and that a DoD-approved CAC reader is not available for the smartphone. Mark as a finding if the site uses software certificates on site managed smartphones and the DAA has not approved their use.

Fix: F-27602r2_fix

Obtain DAA approval for the use of software certificates or purchase approved CAC readers.

a
Required actions must be followed at the site when a smartphone has been lost or stolen.
Low - V-24969 - SV-30706r5_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-007-02
Vuln IDs
  • V-24969
Rule IDs
  • SV-30706r5_rule
If procedures for lost or stolen smartphones are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.System AdministratorECSC-1
Checks: C-31133r3_chk

This requirement applies to mobile operating system (OS) smartphones and tablets. Interview the IAO. Determine if any site smartphones were reported lost or stolen within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. Mark as a finding if the site had a lost or stolen smartphone within the previous 24 months and required procedures were not followed.

Fix: F-27592r1_fix

Required actions must be followed at the site when a smartphone is reported lost or stolen.

a
Users must receive training on required topics before they are authorized to access a DoD network via a wireless remote access device.
Low - V-25034 - SV-30836r4_rule
RMF Control
Severity
Low
CCI
Version
WIR-WRA-001
Vuln IDs
  • V-25034
Rule IDs
  • SV-30836r4_rule
Improper use of wireless remote access to a DoD network can compromise both the wireless client and the network, as well as, expose DoD data to unauthorized people. Without adequate training remote access users are more likely to engage in behaviors that make DoD networks and information more vulnerable to security exploits.System AdministratorPRTN-1
Checks: C-31258r3_chk

Detailed Policy Requirements: The IAO and the site wireless device administrator must ensure all wireless remote access users receive training on the following topics before they are authorized to access a DoD network via a wireless remote access device: - Maintaining physical control of the device - Reducing exposure of sensitive data - Backing up data frequently - User authentication, anti-virus, personal firewall, and content encryption requirements - Enabling wireless interfaces only when needed - Enable VPN connection to the DoD network immediately after establishing a wireless connection - All Internet browsing will be done via the VPN connection to the DoD network - No split tunneling of VPN - Locations where wireless remote access is authorized or not authorized (i.e., home, airport, hotel, etc.) - Wireless client configuration requirements - Use of WPA2 Personal (AES) on home WLAN - Home WLAN password and SSID requirements - Discontinue the use of devices suspected of being tampered with and notify the site IAO. For iOS devices, add: -User should select “Forget this Network” while still in physical range. (This prevents the iPhone from automatically joining networks later that may share the same SSID. The user will not be able to “forget” individual networks when out of range and will have to reset all network settings.) Check Procedures: Review site wireless device and/or IA awareness training material to verify it contains the required content. Note: Some training content may be listed in the User Agreement signed by the user. Verify site training records show authorized wireless remote access users received required training and training occurred before the users were issued a device. Check training records for approximately five users, picked at random. Mark as a finding if training material does not contain the required content or if wireless remote access users have not received required training.

Fix: F-27724r1_fix

Complete required training

a
The site must have a Wireless Remote Access Policy signed by the site DAA, Commander, Director, or other appropriate authority.
Low - V-25035 - SV-30837r3_rule
RMF Control
Severity
Low
CCI
Version
WIR-WRA-002
Vuln IDs
  • V-25035
Rule IDs
  • SV-30837r3_rule
Wireless clients, DoD data, and the DoD network could be compromised if operational policies for the use of wireless remote access are not documented by the site.System AdministratorECWN-1
Checks: C-31259r3_chk

Detailed Policy Requirements: A site's Remote Access Policy will be written and signed by the site DAA, Commander, Director, or other appropriate manager. Recommend the policy includes required security controls for the DoD-owned/operated wireless client (laptop or PDA): - Device unlock password requirements - Anti-virus application - Personal firewall - Client software patches kept up to date - Internet browsing though enterprise Internet gateway - Device security policy managed by centrally-managed policy manager - Anti-spyware app (recommended) - Procedures after client is lost, stolen, or other security incident occurs - Host-based Wireless Intrusion Detection and Prevention System (WIDPS)/monitor WIDPS - Configuration requirements of wireless client - Home WLAN authentication requirements. - Home WLAN SSID requirements. - Separate WLAN access point required for home WLAN - 8+-character authentication password required for home WLAN. - Use of third-party Internet portals (kiosks) (approved or not approved) - Use of personally-owned or contractor-owned client devices (approved or not approved) - Implementation of health check of client device before connection is allowed - Places where remote access is approved (home, hotels, airport, etc.) - Roles and responsibilities: --Which users or groups of users are and are not authorized to use organization's WLANs --Which parties are authorized and responsible for installing and configuring APs and other WLAN equipment - WLAN infrastructure security: --Physical security requirements for WLANs and WLAN devices, including limitations on the service areas of WLANs --Types of information that may and may not be sent over WLANs, including acceptable use guidelines - WLAN client device security: --The conditions under which WLAN client devices are and are not allowed to be used and operated. --Standard hardware and software configurations that must be implemented on WLAN client devices to ensure the appropriate level of security. --Limitations on how and when WLAN client’s device may be used, such as specific locations. - Guidelines on reporting losses of WLAN client devices and reporting WLAN security incidents - Guidelines for the protection of WLAN client devices to reduce theft Check Procedures: Interview the IAO and/or the site wireless device administrator and determine if the site has a wireless remote access policy (or a wireless section in a general remote access policy). Verify the policy has been signed by the site DAA, Commander, Director, or other appropriate managers. Mark as a finding if a wireless remote access policy does not exist or is not signed.

Fix: F-27725r1_fix

Publish required policy.

a
If wireless remote access is approved for use, the site's SSP must include wireless remote access equipment and locations (site network Wi-Fi, home, hotel, public hotspots, etc.) approved for site personnel.
Low - V-25036 - SV-30838r3_rule
RMF Control
Severity
Low
CCI
Version
WIR-WRA-003
Vuln IDs
  • V-25036
Rule IDs
  • SV-30838r3_rule
Wireless client, networks, and data could be compromised if unapproved wireless remote access is used. In most cases, unapproved devices are not managed and configured as required by the appropriate STIG and the site’s overall network security controls are not configured to provide adequate security for unapproved devices. When listed in the SSP, the site has shown that security controls have been designed to account for the wireless devices.Information Assurance OfficerECWN-1
Checks: C-31260r2_chk

Review the site's SSP and verify it includes a listing of approved wireless remote access equipment and locations (home, hotel, etc.). Mark as a finding if the site SSP does not reference approved wireless remote access equipment and locations.

Fix: F-27726r1_fix

Update SSP with wireless remote access information.

a
Smartphone users must complete required training annually.
Low - V-28317 - SV-36045r3_rule
RMF Control
Severity
Low
CCI
Version
WIR-SPP-006-02
Vuln IDs
  • V-28317
Rule IDs
  • SV-36045r3_rule
Users are the first line of security controls for smartphone systems. They must be trained in using smartphone security controls or the system could be vulnerable to attack.Information Assurance OfficerPETN-1
Checks: C-35165r2_chk

This requirement applies to mobile operating system (OS) smartphones and tablets. All smartphone users must receive required smartphone training annually. Mark as a finding if training records do not show users receiving required training at least annually.

Fix: F-30413r1_fix

Complete required training annually for all smartphone users.