If Bluetooth (or Zigbee) devices transmit unclassified DoD data communications, then they must use FIPS 140-2 validated cryptographic modules for data in transit, including digital voice communications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3499	WIR0400	SV-3499r2_rule	ECCT-1	Medium

Description
FIPS validation provides assurance that the cryptographic modules are implemented correctly and resistant to compromise. Failure to use FIPS 140-2 validated cryptographic modules makes it more likely that sensitive DoD data will be exposed to unauthorized people.

STIG	Date
Bluetooth/Zigbee Security Technical Implementation Guide (STIG)	2013-03-14

Details

Check Text ( C-39029r4_chk )
NOTE: This check also applies to Bluetooth voice and wireless USB (WUSB) devices. This check does not apply to Zigbee telemetry sensor data or other Zigbee data where the IAO has determined the data is not sensitive. - If the site uses Bluetooth (or Zigbee) for data or voice communications, check a sample (3-4) of Bluetooth (or Zigbee) enabled devices and note their make and model. Examine the associated product documentation to determine if the device employs FIPS 140-2 validated cryptographic modules for data-in-transit, to include digital voice communications. This should be accomplished by reviewing the relevant FIPS certificate in the product documentation or the NIST web site. Mark as a finding if any Bluetooth (or Zigbee) device does have a FIPS 140-2 validated cryptographic module supporting encryption of data in transit. Note: This requirement only applies to mobile devices that are expected to leave a DoD facility. It does not apply to voice headsets for fixed location assets such as IP-based desk telephones. No encryption or identification requirements are required for this use.

Check Text ( C-39029r4_chk )

NOTE: This check also applies to Bluetooth voice and wireless USB (WUSB) devices. This check does not apply to Zigbee telemetry sensor data or other Zigbee data where the IAO has determined the data is not sensitive.

- If the site uses Bluetooth (or Zigbee) for data or voice communications, check a sample (3-4) of Bluetooth (or Zigbee) enabled devices and note their make and model. Examine the associated product documentation to determine if the device employs FIPS 140-2 validated cryptographic modules for data-in-transit, to include digital voice communications. This should be accomplished by reviewing the relevant FIPS certificate in the product documentation or the NIST web site.

Mark as a finding if any Bluetooth (or Zigbee) device does have a FIPS 140-2 validated cryptographic module supporting encryption of data in transit.

Note: This requirement only applies to mobile devices that are expected to leave a DoD facility. It does not apply to voice headsets for fixed location assets such as IP-based desk telephones. No encryption or identification requirements are required for this use.

Fix Text (F-3430r1_fix)
Disable Bluetooth or procure Bluetooth devices that employ FIPS 140-2 validated cryptographic modules for data-in-transit.