UCF STIG Viewer Logo

Commercial Mobile Device (CMD) Policy Security Technical Implementation Guide (STIG)


Overview

Date Finding Count (19)
2013-03-12 CAT I (High): 3 CAT II (Med): 3 CAT III (Low): 13
STIG Description
This STIG contains the policy, training, and operating procedure security controls for the use of CMDs in the DoD environment. The previous version of this STIG (V1R8) was called the Smartphone Policy STIG. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-24960 High Mobile operating system (OS) based CMDs and systems must not be used to send, receive, store, or process classified messages unless specifically approved by NSA for such purposes and NSA approved transmission and storage methods are used.
V-24957 High If a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site must follow required data spill procedures.
V-32677 High A security risk analysis must be performed on a mobile application by the DAA or DAA authorized authority prior to the application being approved for use.
V-24965 Medium CMD Instant Messaging (IM) client application must connect only to a DoD controlled IM server compliant with the Instant Messaging STIG.
V-24955 Medium A data spill (Classified Message Incident (CMI)) procedure or policy must be published for site CMDs.
V-32674 Medium All non-core applications on the CMD must be approved by the DAA or the Command IT Configuration Control Board.
V-24966 Low The site wireless policy or wireless remote access policy must include information on required CMD Wi-Fi security controls.
V-24964 Low Mobile device software updates must only originate from approved DoD sources.
V-24963 Low The mobile device SA must perform a wipe command on all new or reissued CMDs and a STIG-compliant IT policy will be pushed to the device before issuing it to DoD personnel.
V-24958 Low Required procedures must be followed for the disposal of CMDs.
V-24961 Low Mobile device users must complete training on required content before being provided mobile devices or allowed access to DoD networks with a mobile device.
V-24953 Low Site physical security policy must include a statement outlining whether CMDs with digital cameras (still and video) are permitted or prohibited on or in this DoD facility.
V-24969 Low Required actions must be followed at the site when a CMD has been lost or stolen.
V-24968 Low Mobile devices must be provisioned with DoD PKI digital certificates, so users can digitally sign and encrypt email notifications or other email messages required by DoD policy. DAA approval will be obtained prior to the use of software PKI certificates on mobile devices.
V-25036 Low The site physical security policy must include a statement if CMDs with digital cameras (still and video) are permitted or prohibited on or in the DoD facility.
V-25034 Low Users must receive training on required topics before they are authorized to access a DoD network via a wireless remote access device.
V-25035 Low The site must have a Wireless Remote Access Policy signed by the site DAA, Commander, Director, or other appropriate authority.
V-24962 Low The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen.
V-28317 Low Mobile users must complete required training annually.