| V-4634 | High | Bluetooth (and Zigbee) devices must not be used to send, receive, store, or process classified information. | Classified data could be compromised since Bluetooth (and Zigbee) devices do not meet DoD encryption requirements for classified data. |
| V-18619 | Medium | Bluetooth peripherals must conform to the DoD Bluetooth Peripheral Device Security Requirements Specification.
| Sensitive unclassified voice and data communications could be intercepted and exposed if required security controls are not used. |
| V-3499 | Medium | If Bluetooth (or Zigbee) devices transmit unclassified DoD data communications, then they must use FIPS 140-2 validated cryptographic modules for data in transit, including digital voice communications. | FIPS validation provides assurance that the cryptographic modules are implemented correctly and resistant to compromise. Failure to use FIPS 140-2 validated cryptographic modules makes it more... |
| V-30360 | Low | The site must have a written policy or training materials stating Bluetooth must be disabled on all applicable devices unless they employ FIPS 140-2 validated cryptographic modules for data-in-transit. | Policy and training provide assurance that security requirements will be implemented in practice. Failure to use FIPS 140-2 validated cryptography makes data more vulnerable to security breaches. |
