| V-24960 | High | Mobile operating system (OS) based CMDs and systems must not be used to send, receive, store, or process classified messages unless specifically approved by NSA for such purposes and NSA approved transmission and storage methods are used. | DoDD 8100.2 states wireless devices will not be used for classified data unless approved for such use. Classified data could be exposed to unauthorized personnel. |
| V-24957 | High | If a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site must follow required data spill procedures. | If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel. |
| V-32677 | High | A security risk analysis must be performed on a mobile application by the Authorizing Official (AO) or AO-authorized authority prior to the application being approved for use.
| Non-approved applications can contain malware. Approved applications should be reviewed and tested by the AO to ensure they do not contain malware, spyware, or have unexpected features (e.g., send... |
| V-24955 | Medium | A data spill (Classified Message Incident (CMI)) procedure or policy must be published for site CMDs. | When a data spill occurs on a CMD, classified or sensitive data must be protected to prevent disclosure. After a data spill, the CMD must either be wiped using approved procedures, or destroyed if... |
| V-24964 | Low | Mobile device software updates must only originate from approved DoD sources. | Users must not accept Over-The-Air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and approved by the ISSO.... |
| V-24963 | Low | The mobile device system administrator must perform a wipe command on all new or reissued CMDs and a STIG-compliant IT policy will be pushed to the device before issuing it to DoD personnel. | Malware can be installed on the device at some point between shipping from the factory and delivery to DoD. The malware could result in the compromise of sensitive DoD information or result in... |
| V-24958 | Low | Required procedures must be followed for the disposal of CMDs. | If appropriate procedures are not followed prior to disposal of a CMD, an adversary may be able to obtain sensitive DoD information or learn aspects of the configuration of the device that might... |
| V-24961 | Low | Mobile device users must complete training on required content before being provided mobile devices or allowed access to DoD networks with a mobile device. | Users are the first line of security controls for CMD systems. They must be trained in using CMD security controls or the system could be vulnerable to attack. |
| V-24953 | Low | Site physical security policy must include a statement outlining whether CMDs with digital cameras (still and video) are permitted or prohibited on or in this DoD facility. | Mobile devices with cameras are easily used to photograph sensitive information and areas if not addressed. Sites must establish, document, and train on how to mitigate this threat. |
| V-24969 | Low | Required actions must be followed at the site when a CMD has been lost or stolen. | If procedures for lost or stolen CMDs are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA. |
| V-24962 | Low | The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen. | Sensitive DoD data could be stored in memory on a DoD operated mobile operating system (OS) based CMD and the data could be compromised if required actions are not followed when a CMD is lost or... |
| V-28317 | Low | Mobile users must complete required training annually. | Users are the first line of security controls for CMD systems. They must be trained in using CMD security controls or the system could be vulnerable to attack. If training is not renewed on an... |
