Wireless Management Server Policy Security Technical Implementation Guide

Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

Vuln ID:
V-24955
Rule ID:
SV-30692r5_rule
Group ID:
Publish data spill procedures for smartphones
Version:
WIR-SPP-003-01
CCI:
Severity:
Medium
Description:
When a data spill occurs on a smartphone, classified data must be protected to prevent disclosure. After a data spill, the smartphone must either be wiped using approved procedures, or destroyed if no procedures are available, so classified data is not exposed.Information Assurance OfficerVIIR-1, VIIR-2
When a data spill occurs on a smartphone, classified or sensitive data must be protected to prevent disclosure. After a data spill, the smartphone must either be wiped using approved procedures, or destroyed if no procedures are available, so classified or sensitive data is not exposed.Information Assurance OfficerVIIR-1, VIIR-2
Check:
Detailed Policy Requirements: In accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or “data spill” occurs when a classified email is inadvertently sent on an unclassified network and received on a wireless email device. Classified information may also be transmitted through some other form of file transfer to include web browser downloads and files transferred through tethered connections. Smartphones are not authorized for processing classified data. A data spill also occurs if a classified document is attached to an otherwise unclassified email. For this case, on a smartphone, a data spill will only occur if the classified attached document is viewed or opened by the smartphone user since the smartphone system only downloads an attachment on the smartphone if the user views or opens the attachment. The site's Incident Handling and Response procedures should reference NSA/CSS Storage Device Declassification Manual 9-12, Section 5, for smartphone destruction procedures. Check Procedures: Interview the IAO. Verify classified incident handling, response, and reporting procedures are documented in site smartphone procedures or security policies. Mark as a finding if classified incident handling, response, and reporting procedures are not documented in site smartphone procedures or security policies. This requirement applies at both sites where smartphones are issued and managed and at sites where the smartphone management server is located. ---At the smartphone management server site, verify Incident Handling and Response procedures include actions to sanitize the smartphone management server and email servers (e.g., Exchange, Oracle mail). ---At smartphone sites, verify Incident Handling and Response procedures include actions for incident reporting and actions to safeguard classified smartphone devices. The following actions will be followed for all smartphones involved in a data spill: -BlackBerry smartphones: follow procedures in the DoD Data Spill Procedures Guide for BlackBerry Smartphones located at http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html. -Windows Mobile, Android, and iOS smartphones: the smartphone will be destroyed. Mark as a finding if Incident Handling and Response procedures do not include required information.
Detailed Policy Requirements: This requirement applies to mobile operating system (OS) smartphones and tablets. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). In accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or “data spill” occurs when a classified email is inadvertently sent on an unclassified network and received on a wireless email device. Classified information may also be transmitted through some other form of file transfer to include web browser downloads and files transferred through tethered connections. Smartphones are not authorized for processing classified data. A data spill also occurs if a classified document is attached to an otherwise unclassified email. For this case, on a smartphone, a data spill will only occur if the classified attached document is viewed or opened by the smartphone user since the smartphone system only downloads an attachment on the smartphone if the user views or opens the attachment. The site's Incident Handling and Response procedures should reference NSA/CSS Storage Device Declassification Manual 9-12, Section 5, for smartphone destruction procedures. Check Procedures: Interview the IAO. Verify classified incident handling, response, and reporting procedures are documented in site smartphone procedures or security policies. Mark as a finding if classified incident handling, response, and reporting procedures are not documented in site smartphone procedures or security policies. This requirement applies at both sites where smartphones are issued and managed and at sites where the smartphone management server is located. ---At the smartphone management server site, verify Incident Handling and Response procedures include actions to sanitize the smartphone management server and email servers (e.g., Exchange, Oracle mail). ---At smartphone sites, verify Incident Handling and Response procedures include actions for incident reporting and actions to safeguard classified smartphone devices. The following actions will be followed for all smartphones involved in a data spill: -BlackBerry smartphones: follow procedures in the DoD Data Spill Procedures Guide for BlackBerry Smartphones located at http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html. -Windows Mobile, Android, and iOS smartphones: the smartphone will be destroyed. Mark as a finding if Incident Handling and Response procedures do not include required information.
Fix:
A Classified Message Incident (CMI) procedure or policy must be published for the site.
A Classified Message Incident (CMI) procedure or policy must be published for the site.
Vuln ID:
V-24957
Rule ID:
SV-30694r5_rule
Group ID:
Site must follow required data spill procedures
Version:
WIR-SPP-003-02
CCI:
Severity:
High
Description:
If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel.System AdministratorVIIR-1, VIIR-2
If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel.System AdministratorVIIR-1, VIIR-2
Check:
Detailed Policy Requirements: If a data spill occurs on a smartphone, the following actions must be completed: - The smartphone management server and email servers (i.e., Exchange, Oracle mail, etc.) are handled as classified systems until they are sanitized according to appropriate procedures. (See NSA/CSS Storage Device Declassification Manual 9-12 for sanitization procedures.) - The smartphone is handled as a classified device and destroyed according to DoD guidance for destroying classified equipment or sanitized as directed in Check WIR-SPP-003-01. Check Procedures: Interview the IAO. Determine if the site has had a data spill within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. Mark as a finding if the site had a data spill within the previous 24 months and required procedures were not followed.
Detailed Policy Requirements: This requirement applies to mobile operating system (OS) smartphones and tablets. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). If a data spill occurs on a smartphone, the following actions must be completed: - The smartphone management server and email servers (i.e., Exchange, Oracle mail, etc.) are handled as classified systems until they are sanitized according to appropriate procedures. (See NSA/CSS Storage Device Declassification Manual 9-12 for sanitization procedures.) - The smartphone is handled as a classified device and destroyed according to DoD guidance for destroying classified equipment or sanitized as directed in Check WIR-SPP-003-01. Check Procedures: Interview the IAO. Determine if the site has had a data spill within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. Mark as a finding if the site had a data spill within the previous 24 months and required procedures were not followed.
Fix:
If a data spill occurs on a wireless email device or system at a site, the site must follow required procedures.
If a data spill occurs on a wireless email device or system at a site, the site must follow required procedures.
Vuln ID:
V-24962
Rule ID:
SV-30699r4_rule
Group ID:
Publish lost/stolen smartphone procedures
Version:
WIR-SPP-007-01
CCI:
Severity:
Low
Description:
Sensitive DoD data could be stored in memory on a DoD operated smartphone and the data could be compromised if required actions are not followed when a smartphone is lost or stolen. Without procedures for lost or stolen smartphones, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.Information Assurance OfficerECSC-1, VIIR-1, VIIR-2
Sensitive DoD data could be stored in memory on a DoD operated smartphone and the data could be compromised if required actions are not followed when a smartphone is lost or stolen. Without procedures for lost or stolen smartphones, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.Information Assurance OfficerECSC-1, VIIR-1, VIIR-2
Check:
Detailed Policy Requirements: The site (location where smartphones are issued and managed and the site where the smartphone management server is located) must publish procedures to follow if a smartphone has been lost or stolen. The procedures should include (as appropriate): -Smartphone user notifies IAO, SM, and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. -The IAO notifies the smartphone management server system administrator and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. The site smartphone management server administrator sends a wipe command to the smartphone and then disables the user account on the management server or removes the smartphone from the user account. Check procedures: Interview the IAO. Review the site’s Incident Response Plan or other policies and determine if the site has a written plan of action. Mark as a finding if the site does not have a written plan of action following a lost or stolen smartphone.
Detailed Policy Requirements: This requirement applies to mobile operating system (OS) smartphones and tablets. The site (location where smartphones are issued and managed and the site where the smartphone management server is located) must publish procedures to follow if a smartphone has been lost or stolen. The procedures should include (as appropriate): -Smartphone user notifies IAO, SM, and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. -The IAO notifies the smartphone management server system administrator and other site personnel, as required by the site’s Incident Response Plan, within the timeframe required by the site’s Incident Response Plan. The site smartphone management server administrator sends a wipe command to the smartphone and then disables the user account on the management server or removes the smartphone from the user account. Check procedures: Interview the IAO. Review the site’s Incident Response Plan or other policies and determine if the site has a written plan of action. Mark as a finding if the site does not have a written plan of action following a lost or stolen smartphone.
Fix:
Publish procedures to follow if a smartphone is lost or stolen.
Publish procedures to follow if a smartphone is lost or stolen.
Vuln ID:
V-24969
Rule ID:
SV-30706r4_rule
Group ID:
Follow lost/stolen smartphone procedures
Version:
WIR-SPP-007-02
CCI:
Severity:
Low
Description:
If procedures for lost or stolen smartphones are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.System AdministratorECSC-1
If procedures for lost or stolen smartphones are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.System AdministratorECSC-1
Check:
Interview the IAO. Determine if any site smartphones were reported lost or stolen within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. Mark as a finding if the site had a lost or stolen smartphone within the previous 24 months and required procedures were not followed.
This requirement applies to mobile operating system (OS) smartphones and tablets. Interview the IAO. Determine if any site smartphones were reported lost or stolen within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. Mark as a finding if the site had a lost or stolen smartphone within the previous 24 months and required procedures were not followed.
Fix:
Required actions must be followed at the site when a smartphone is reported lost or stolen.
Required actions must be followed at the site when a smartphone is reported lost or stolen.
Vuln ID:
V-24970
Rule ID:
SV-30707r3_rule
Group ID:
Smartphone admin training
Version:
WIR-WMSP-001-01
CCI:
Severity:
Low
Description:
The security posture of the smartphone management server could be compromised if the administrator is not trained to follow required procedures. System AdministratorPRTN-1
The security posture of the smartphone management server could be compromised if the administrator is not trained to follow required procedures. System AdministratorPRTN-1
Check:
Detailed policy requirements: The smartphone management server administrator must be trained on the following requirements: -Requirement that administrative service accounts will not be used to log into the smartphone management server or any server service. -Activation passwords or PINs will consist of a pseudo-random pattern of at least eight characters consisting of at least two letters and two numbers. A new activation password must be selected each time one is assigned (e.g., the same password cannot be used for all users or for a group of users). - User and group accounts on the smartphone management server will always be assigned a STIG-compliant security/IT policy. Check procedures: - Verify the smartphone management server administrator(s) has received the required training. The site should document when the training was completed. Mark as a finding if smartphone management server admin did not receive required training.
Detailed policy requirements: The smartphone management server administrator must be trained on the following requirements: -Requirement that administrative service accounts will not be used to log into the smartphone management server or any server service. -Activation passwords or PINs will consist of a pseudo-random pattern of at least eight characters consisting of at least two letters and two numbers. A new activation password must be selected each time one is assigned (e.g., the same password cannot be used for all users or for a group of users). - User and group accounts on the smartphone management server will always be assigned a STIG-compliant security/IT policy. Check procedures: - Verify the smartphone management server administrator(s) has received the required training. The site should document when the training was completed. Mark as a finding if smartphone management server admin did not receive required training.
Fix:
Have smartphone management server administrator complete and document his/her training.
Have smartphone management server administrator complete and document his/her training.
Vuln ID:
V-24971
Rule ID:
SV-30708r3_rule
Group ID:
Annual self assessments
Version:
WIR-WMSP-002
CCI:
Severity:
Low
Description:
The security integrity of the smartphone system depends on local sites where smartphone handhelds are provisioned and issued complying with STIG requirements. The risk of malware introduced on a handheld device and avenues of attack into the enclave via a smartphone device could result if STIG procedures are not followed.Information Assurance OfficerECWN-1
The security integrity of the smartphone system depends on local sites where smartphone handhelds are provisioned and issued complying with STIG requirements. The risk of malware introduced on a handheld device and avenues of attack into the enclave via a smartphone device could result if STIG procedures are not followed.Information Assurance OfficerECWN-1
Check:
Annual self assessments will be conducted according to the appropriate smartphone STIG, with the assessment results being entered into VMS/Component Provided Tracking Database. Verify the IAO of the site, where the smartphone management server is located, is tracking local/remote sites (where smartphone devices are provisioned, issued, and managed) are conducting annual self assessments according to the appropriate smartphone STIG. Verify the results of the assessments are being entered into VMS/Component Provided Tracking Database. Note: Command-level action should be considered for local sites not complying with STIG requirements for the provisioning, issuance, and managements of smartphones. Mark as a finding if required annual self assessments have not been completed by the site.
Annual self assessments will be conducted according to the appropriate smartphone STIG, with the assessment results being entered into VMS/Component Provided Tracking Database. Verify the IAO of the site, where the smartphone management server is located, is tracking local/remote sites (where smartphone devices are provisioned, issued, and managed) are conducting annual self assessments according to the appropriate smartphone STIG. Verify the results of the assessments are being entered into VMS/Component Provided Tracking Database. Note: Command-level action should be considered for local sites not complying with STIG requirements for the provisioning, issuance, and managements of smartphones. Mark as a finding if required annual self assessments have not been completed by the site.
Fix:
The IAO at the smartphone management server site has verified local sites are conducting annual self assessments.
The IAO at the smartphone management server site has verified local sites are conducting annual self assessments.
Vuln ID:
V-28313
Rule ID:
SV-36041r2_rule
Group ID:
Smartphone admin training renewed annually
Version:
WIR-WMSP-001-02
CCI:
Severity:
Low
Description:
The smartphone management server administrator must renew required training annually.Information Assurance OfficerPRTN-1
The smartphone management server administrator must renew required training annually.Information Assurance OfficerPRTN-1
Check:
Detailed policy requirements: The smartphone management server administrator must be renewed annually. Check procedures: The site should document when training was completed. - Verify training is renewed annually. Mark as a finding if smartphone management server administrator training is not renewed annually.
Detailed policy requirements: The smartphone management server administrator must be renewed annually. Check procedures: The site should document when training was completed. - Verify training is renewed annually. Mark as a finding if smartphone management server administrator training is not renewed annually.
Fix:
Renew required training annually.
Renew required training annually.