Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

WMAN Subscriber Security Technical Implementation Guide (STIG)

  • Version/Release: V6R8
  • Published: 2014-03-18
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This STIG contains the technical security controls for the operation of a WMAN Subscriber in the DoD environment.
c
NSA Type1 products and required procedures must be used to protect classified data at rest (DAR) on wireless devices used on a classified WLAN or WMAN.
High - V-3512 - SV-3512r1_rule
RMF Control
Severity
High
CCI
Version
WIR0235
Vuln IDs
  • V-3512
Rule IDs
  • SV-3512r1_rule
NSA Type 1 products provide a high level of assurance that cryptography is implemented correctly and meets the standards for storage of classified information. Use of cryptography that is not Type 1 certified violates policy and increases the risk that classified data will be compromised. Information Assurance OfficerECWN-1
Checks: C-4027r1_chk

Detailed Policy requirements: Type 1 products and required procedures must be used to protect classified data-at-rest on wireless computers that are used on a classified WLAN or WMAN. If NSA Type1 certified DAR encryption is not available, the following requirements apply: - The storage media shall be physically removed from the computer and stored within a COMSEC-approved security container when the computer is not being used. - The entire computer shall be placed within a COMSEC-approved security container, if the computer has embedded storage media that cannot be removed. Check Procedures: Interview the IAO to determine if devices with wireless functionality (e.g., laptops or PDAs with embedded radios) are used to store classified data. If yes, verify the device is an NSA Type 1 certified product. Mark as a finding if a Type 1 product is not used, or if the storage media or device is not stored in a COMSEC-approved security container when not in use.

Fix: F-34121r1_fix

Immediately discontinue use of the non-compliant device.

b
A device’s wired network interfaces (e.g., Ethernet) must be disconnected or otherwise disabled when wireless connections are in use.
Medium - V-14002 - SV-14613r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR0170
Vuln IDs
  • V-14002
Rule IDs
  • SV-14613r2_rule
If a client device supports simultaneous use of wireless and wired connections, then this increases the probability that an adversary who can access the device using its wireless interface can then route traffic through the device’s wired interface to attack devices on the wired network or obtain sensitive DoD information.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-11465r3_chk

Review client devices and verify that there is some technical procedure to disable the wireless network interface when the wired network interface is active (e.g., connected to a network via an Ethernet cable). Examples of compliant implementations: - Client side connection management software products have configuration settings that disable wireless connections when a wired connection is active. - Microsoft Windows hardware profiles can be created that disable assigned wireless network interfaces when the Ethernet connection is active. To check compliance, select a sample of devices (3-4), and establish a network connection using the wireless interface. Test that the wireless interface is active using a command line utility such as ifconfig (UNIX/Linux), or ipconfig (Windows), or management tools such as Network Connections within the Windows Control Panel. Then plug the device into an active Ethernet port (or other wired network). Repeat the process used to check that the connection was active to verify it is now disabled. Mark as a finding if one or more of the tested devices do not disable the wireless interface upon connection to a wired network. Also mark as finding if the device does not have the capability to disable the wireless interface when the wired interface is active.

Fix: F-13489r1_fix

Ensure the wired network interfaces on a WLAN client are disconnected or otherwise disabled when wireless network connections are in use.

b
FIPS 140-2 validated encryption modules must be used to encrypt unclassified sensitive data at rest on the wireless device (e.g., laptop, PDA, smartphone).
Medium - V-14202 - SV-14813r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR0190
Vuln IDs
  • V-14202
Rule IDs
  • SV-14813r2_rule
If a wireless device is lost or stolen without DAR encryption, sensitive DoD data could be compromised. Most known security breaches of cryptography result from improper implementation, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance that cryptography is implemented correctly, and is required for Federal Government uses of cryptography in non-classified applications.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-11537r2_chk

Detailed Policy Requirements: FIPS 140-2 validated encryption modules must be used to encrypt unclassified sensitive data at rest on the wireless device (e.g., laptop, PDA, smartphone). This requirement applies to any wireless device or non-wireless PDA storing sensitive information, as defined by Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer Memorandum, “Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage,” July 3, 2007. This requirement also applies to removable memory cards (e.g., MicroSD) used in the PDA except when the PDA is connected to a Windows PC for the purpose of provisioning or transferring data. Check Procedures: Interview IAO and review documentation. 1. Determine if the wireless device is used to store sensitive data. Data approved for public release is not sensitive. Other unclassified data may also qualify as sensitive. Any device that stores any sensitive data must meet the requirements in this check. 2. Check a sample of wireless laptops, PDAs, smartphones, and other wireless devices used at the site (2-3 of each type). 3. Obtain the product’s FIPS certificate to confirm FIPS 140-2 validation for each model examined. The certificate may be obtained from the product documentation or the NIST web site. 4. Work with the IAO to determine if encryption is enabled on the wireless client device uses AES or 3DES. 5. Verify temp files with sensitive information are also protected with encryption. 6. Mark as a finding if encryption is not used or is not FIPS 140-2 validated.

Fix: F-34090r1_fix

Employ FIPS 140-2 validated encryption modules for sensitive DoD data at rest.

b
WMAN systems must require strong authentication from the user or WMAN subscriber device to WMAN network.
Medium - V-14207 - SV-14818r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR0315-01
Vuln IDs
  • V-14207
Rule IDs
  • SV-14818r1_rule
Broadband systems not compliant with authentication requirements could allow a hacker to gain access to the DoD network.Information Assurance OfficerECSC-1, ECWN-1
Checks: C-22269r1_chk

Detailed Policy Requirements: The site WMAN systems will implement strong authentication from the User or WMAN subscriber device to WMAN network. For tactical WMAN systems or commercial WMAN systems operated in a tactical environment, two factor authentication is required, at a minimum. Note: Examples of two-factor authentication are password with biometrics or CAC with PIN. In cases where there are no available WMAN technology solutions that meets this requirement, the local DAA may grant an exception to this requirement until such time as a WMAN product is available that meets this requirement. The exception must be documented during the system DIACAP and in the site SSAA/SSP. At a minimum, the system must meet the authentication requirements of non-tactical WMAN systems. -For tactical or commercial WMAN systems operated in a non-tactical environment, this check does not apply: Checks WIR0315-02 and WIR0315-02 apply. Check Procedures: - Determine if the WMAN system is used in a tactical or non-tactical environment. - Review the WMAN system product documentation (specification sheet, network administration manual, installation manual, etc.) to determine what authentication mechanism is supported between the user/subscriber device and WMAN network. - Review the authentication configuration configured on the WMAN access point. (Have the system administrator and user show you the setting.) - Verify “User or WMAN subscriber device to WMAN network” authentication meets requirements. --For WMAN systems operated in a tactical environment, two factor authentication is required, at a minimum, unless the DAA has approved an exception based on the unavailability of a WMAN product that meets this requirement. Determine if two factor authentication is used (e.g. CAC) or if the DAA has granted an exception. If the DAA has granted an exception, verify the exception has been noted in the site’s SSAA/SSP and that the system meets the requirements for non-tactical authentication. -Mark as a finding if the authentication requirements are not met.

Fix: F-34138r1_fix

Implement strong authentication for the user or device to the WMAN network.

b
When a WMAN system is implemented, the network enclave must enforce strong authentication from user to DoD enclave (wired network). For “User to Enclave” authentication, the enclave must enforce network authentication requirements found in USCYBERCOM CTO 07-15Rev1 (or subsequent updates) (e.g. CAC authentication). Note: User authentication to the enclave must be a separate process from authentication to the WMAN system. If the WMAN vendor implements CAC authentication for the User or WMAN subscriber device to WMAN network, the user may only need to enter their PIN once to authenticate to both the WMAN system and the enclave.
Medium - V-18602 - SV-20153r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR0320
Vuln IDs
  • V-18602
Rule IDs
  • SV-20153r1_rule
Without strong user authentication to the network a hacker may be able to gain access.ECWN-1
Checks: C-22268r1_chk

Interview the IAO and network system administrator to determine if the site’s network is configured to require CAC authentication before a WMAN user is connected to the network. If possible, have a user set up a WMAN connection and verify the user is required to CAC authenticate before they gain access to the local network. Mark as a finding if a WMAN user is not required to CAC authenticate to the network prior to gaining network access.

Fix: F-14436r1_fix

Comply with policy.

b
Site WMAN systems that transmit unclassified data must implement required data encryption controls.
Medium - V-18603 - SV-20154r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR0325
Vuln IDs
  • V-18603
Rule IDs
  • SV-20154r1_rule
Sensitive DoD data could be exposed to a hacker.Information Assurance OfficerECWN-1
Checks: C-22270r1_chk

Detailed policy requirements: Site WMAN systems that transmit unclassified data must implement the following data encryption controls: - For tactical WMAN systems or commercial WMAN systems operated in a tactical environment: --The WMAN system must implement FIPS 140-2 validated encryption to protect the ISO OSI Layer 2 radio data frames. The WMAN system must be configured for AES-CCM encryption, if supported by the WMAN system. --The WMAN system must implement FIPS 140-2 validated encryption to protect the ISO OSI Layer 3 data being transmitted. - For tactical WMAN systems or commercial WMAN systems operated in a non-tactical environment and for WMAN bridges: --The WMAN system must implement FIPS 140-2 validated encryption at ISO OSI Layer 2 or 3. Check Procedures: Verify with the IAO that site WMAN systems transmitting unclassified data implement the following data encryption controls: For tactical WMAN systems or commercial WMAN systems operated in a tactical environment: - The WMAN system must implement FIPS 140-2 validated encryption to protect the ISO OSI Layer 2 radio data frames. The WMAN system will be configured for AES-CCM encryption, if supported by the WMAN system. - The WMAN system must implement FIPS 140-2 validated encryption to protect the ISO OSI Layer 3 data being transmitted. For tactical WMAN systems or commercial WMAN systems operated in a non-tactical environment: - The WMAN system must implement FIPS 140-2 validated encryption at ISO OSI Layer 2 or 3. Mark as a finding if these requirements are not met.

Fix: F-14436r1_fix

Comply with policy.

c
A WMAN system transmitting classified data must implement required data encryption controls.
High - V-18604 - SV-20156r1_rule
RMF Control
Severity
High
CCI
Version
WIR0330
Vuln IDs
  • V-18604
Rule IDs
  • SV-20156r1_rule
If not compliant, classified data could be compromised.Information Assurance OfficerECWN-1
Checks: C-22272r1_chk

Detailed Policy Requirements: Site WMAN systems that transmit classified data must implement the following data encryption controls: - The WMAN system must implement FIPS 140-2 validated encryption to protect the ISO OSI Layer 2 radio data frames. The WMAN system will be configured for AES-CCM encryption, if supported by the WMAN system. (Not required for classified WMAN bridges.) - The WMAN system must implement NSA Type 1 certified High Assurance Internet Protocol Encryptor (HAIPE) encryption, other NSA Type 1 certified encryption, or NSA approved Suite B overlay encryption at ISO OSI Layer 3 to protect data being transmitted. Check Procedures: Review the WMAN product specification sheets. - Verify FIPS 140-2 validated encryption is being used at OSI Layer 2 to protect the radio data frames. - Determine if the system supports AES-CCM encryption. If yes, verify the system has been configured for AES-CCM encryption. - Verify NSA Type 1 certified High Assurance Internet Protocol Encryptor (HAIPE) encryption, other NSA Type 1 certified encryption, or NSA approved Suite B overlay encryption is being used at OSI Layer 3 to protect data being transmitted. Mark as a finding if any of these requirements have not been met.

Fix: F-14436r1_fix

Comply with policy.

b
Site WMAN systems must implement strong authentication from the user or WMAN subscriber device to WMAN network.
Medium - V-19903 - SV-22073r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR0315-02
Vuln IDs
  • V-19903
Rule IDs
  • SV-22073r1_rule
Broadband systems not compliant with authentication requirements could allow a hacker to gain access to the DoD network.System AdministratorInformation Assurance OfficerECSC-1, ECWN-1
Checks: C-25553r1_chk

Detailed Policy Requirements: The site WMAN systems must implement strong authentication from the User or WMAN subscriber device to WMAN network. -For tactical or commercial WMAN systems operated in a non-tactical environment: User ID and password or shared secret authentication shall be implemented between the user or WMAN subscriber device to the WMAN network. When user ID/Password are used, the length requirements of the password must be compliant with JTF-GNO CTO 07-15Rev1: o 15 character password length (or the maximum length supported by the system if a 15 character password is not supported). Check Procedures: For non-tactical WMAN systems, verify the system uses either User ID and password or shared secret authentication between the User or WMAN subscriber device (respectively) to the WMAN network. If User ID and password is used, verify the password meets the length requirements of CTO 07-15Rev1. Mark as a finding if the password length requirements are not met.

Fix: F-20573r6_fix

Comply with requirement.

b
Site WMAN systems must implement strong authentication from the user or WMAN subscriber device to WMAN network.
Medium - V-19904 - SV-22074r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR0315-03
Vuln IDs
  • V-19904
Rule IDs
  • SV-22074r1_rule
Broadband systems not compliant with authentication requirements could allow a hacker to gain access to the DoD network.System AdministratorInformation Assurance OfficerECSC-1, ECWN-1
Checks: C-25554r1_chk

Detailed Policy Requirements: The IAO has not ensured that site WMAN systems implement strong authentication from the User or WMAN subscriber device to WMAN network. -For tactical or commercial WMAN systems operated in a non-tactical environment: User ID and password or shared secret authentication shall be implemented between the User or WMAN subscriber device to the WMAN network. When user ID and password are used, the complexity requirements of the password must be compliant with JTF-GNO CTO 07-15Rev1: --Password complexity is a case sensitive mixture of upper case letters, lower case letters, special characters, and numbers, including at least one of each. Check Procedures: - For non-tactical WMAN systems, verify the system uses either User ID and password or shared secret authentication between the User or WMAN subscriber device (respectively) to the WMAN network. If User ID and password is used, verify the password meets the complexity requirements of CTO 07-15Rev1. Have the system administrator show the password complexity settings in the management console of the WMAN access point. Mark as a finding if the requirements are not met.

Fix: F-20573r6_fix

Comply with requirement.