{
"stig": {
"date": "2016-09-30",
"description": "This STIG contains the policy, training, and operating procedure security controls for the use of CMDs in the DoD environment. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil..",
"findings": {
"V-24953": {
"checkid": "C-31111r4_chk",
"checktext": "This requirement applies to mobile operating system (OS) CMDs.\n\nWork with traditional reviewer to review site\u2019s physical security policy. Verify the site addresses CMDs with embedded cameras.\n\nIf there is no written physical security policy outlining whether CMDs with cameras are permitted or prohibited on or in this DoD facility, this is a finding.",
"description": "Mobile devices with cameras are easily used to photograph sensitive information and areas if not addressed. Sites must establish, document, and train on how to mitigate this threat. ",
"fixid": "F-27579r3_fix",
"fixtext": "Update the security documentation to include a statement outlining whether CMDs with digital cameras (still and video) are allowed in the facility. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-24953",
"ruleID": "SV-30690r4_rule",
"severity": "low",
"title": "Site physical security policy must include a statement outlining whether CMDs with digital cameras (still and video) are permitted or prohibited on or in this DoD facility.",
"version": "WIR-SPP-001"
},
"V-24955": {
"checkid": "C-31114r10_chk",
"checktext": "Detailed Policy Requirements: \nThis requirement applies to mobile operating system (OS) CMDs.\n\nThis requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO).\n\nIn accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or \u201cdata spill\u201d occurs when a classified email is inadvertently sent on an unclassified network and received on a wireless email device. Classified information may also be transmitted through some other form of file transfer to include web browser downloads and files transferred through tethered connections. CMDs are not authorized for processing classified data. \n\nA data spill also occurs if a classified document is attached to an otherwise unclassified email. For BlackBerry and Good Mobile Messaging systems, a data spill will only occur if the classified attached document is viewed or opened by the CMD user since the CMD system only downloads an attachment on the CMD if the user views or opens the attachment. The site's Incident Handling and Response procedures should reference NSA/CSS Storage Device Declassification Manual 9-12, Section 5, for smartphone destruction procedures. \n\nCheck Procedures: \nInterview the ISSO. Verify classified incident handling, response, and reporting procedures are documented in site CMD procedures or security policies. If classified incident handling, response, and reporting procedures are not documented in site CMD procedures or security policies, this is a finding.\n\nThis requirement applies at both sites where CMDs are issued and managed and at sites where the CMD management server is located.\n\n- At the CMD management server site, verify Incident Handling and Response procedures include actions to sanitize the CMD management server and email servers (e.g., Exchange, Oracle mail). \n\n- At CMD sites, verify Incident Handling and Response procedures include actions for incident reporting and actions to safeguard classified smartphone devices. The following actions will be followed for all CMDs involved in a data spill:\n\nIf Incident Handling and Response procedures do not include required information, this is a finding.",
"description": "When a data spill occurs on a CMD, classified or sensitive data must be protected to prevent disclosure. After a data spill, the CMD must either be wiped using approved procedures, or destroyed if no procedures are available, so classified or sensitive data is not exposed. If a data spill procedure is not published, the site may not use approved procedures to remediate after a data spill occurs and classified data could be exposed.",
"fixid": "F-27582r3_fix",
"fixtext": "Publish a Classified Message Incident (CMI) procedure or policy for the site.",
"iacontrols": null,
"id": "V-24955",
"ruleID": "SV-30692r6_rule",
"severity": "medium",
"title": "A data spill (Classified Message Incident (CMI)) procedure or policy must be published for site CMDs.",
"version": "WIR-SPP-003-01"
},
"V-24957": {
"checkid": "C-31115r8_chk",
"checktext": "Detailed Policy Requirements: \nThis requirement applies to mobile operating system (OS) CMDs.\n\nThis requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO).\n\nIf a data spill occurs on a CMD, the following actions must be completed: \n\n- The CMD management server and email servers (i.e., Exchange, Oracle mail, etc.) are handled as classified systems until they are sanitized according to appropriate procedures. (See NSA/CSS Storage Device Declassification Manual 9-12 for sanitization procedures.)\n\n- The CMD is handled as a classified device and destroyed according to DoD guidance for destroying classified equipment or sanitized as directed in Check WIR-SPP-003-01. \n\nCheck Procedures: \nInterview the ISSO. Determine if the site has had a data spill within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. \n\nIf the site had a data spill within the previous 24 months and required procedures were not followed, this is a finding.",
"description": "If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel.",
"fixid": "F-27583r4_fix",
"fixtext": "Follow required procedures after a data spill occurs.",
"iacontrols": null,
"id": "V-24957",
"ruleID": "SV-30694r5_rule",
"severity": "high",
"title": "If a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site must follow required data spill procedures.",
"version": "WIR-SPP-003-02"
},
"V-24958": {
"checkid": "C-31118r8_chk",
"checktext": "This requirement applies to mobile operating system (OS) CMDs.\n\nPrior to disposing of a CMD (for example, if a CMD is transferred to another DoD or government agency), follow the disposal procedures found in the mobile operating system STIG Supplemental document. \n\nInterview the ISSO. \n\nVerify proper procedures are being followed and the procedures are documented. \n\nCheck to see how retired, discarded, or transitioned CMDs were disposed of during the previous 6 \u2013 12 months and verify compliance with requirements. \n\nIf procedures are not documented or if documented, they were not followed, this is a finding.\n",
"description": "If appropriate procedures are not followed prior to disposal of a CMD, an adversary may be able to obtain sensitive DoD information or learn aspects of the configuration of the device that might facilitate a subsequent attack.",
"fixid": "F-27586r3_fix",
"fixtext": "Follow required procedures prior to disposing of a CMD or transitioning it to another user.",
"iacontrols": null,
"id": "V-24958",
"ruleID": "SV-30695r6_rule",
"severity": "low",
"title": "Required procedures must be followed for the disposal of CMDs.",
"version": "WIR-SPP-004"
},
"V-24960": {
"checkid": "C-31119r7_chk",
"checktext": "Interview the ISSO. \n\nVerify written policy and training material exists (or requirement is listed on a signed user agreement) stating if and when CMDs can be used to transmit classified information. \n\nIf written policy or training material does not exist, stating if and when CMDs can be used to receive, transmit, or process classified information, this is a finding. \n",
"description": "DoDD 8100.2 states wireless devices will not be used for classified data unless approved for such use. Classified data could be exposed to unauthorized personnel.",
"fixid": "F-27587r5_fix",
"fixtext": "Publish written policy or training material stating if and when CMDs can be used to process, send, or receive classified information. ",
"iacontrols": null,
"id": "V-24960",
"ruleID": "SV-30697r5_rule",
"severity": "high",
"title": "Mobile operating system (OS) based CMDs and systems must not be used to send, receive, store, or process classified messages unless specifically approved by NSA for such purposes and NSA approved transmission and storage methods are used.",
"version": "WIR-SPP-005"
},
"V-24961": {
"checkid": "C-31120r20_chk",
"checktext": "Detailed Policy Requirements: \nThis requirement applies to mobile operating system (OS) CMDs.\n\nAll mobile device users must receive required training on the following topics before they are provided a mobile device or allowed access to DoD networks with a mobile device. Training is divided into two groups: Group A (general topics) and Group B (device specific topics). DISA\u2019s Smartphones and Tablets security course satisfies the requirement for Group A training topics. The course is located at: http://iase.disa.mil/eta/smartphone_tablet_v1/launchpage.htm.\n\na. Requirement that personally-owned PEDs are not used to transmit, receive, store, or process DoD information unless approved by the AO and the owner signs forfeiture agreement in case of a security incident.\n\nb. Procedures for wireless device usage in and around classified processing areas.\n\nc. Requirement that PEDs with digital cameras (still and video) are not allowed in any SCIF or other areas where classified documents or information is stored, transmitted, or processed.\n\nd. Procedures for a data spill. \n\ne. Requirement that Over-The-Air (OTA) wireless software updates should only come from DoD-approved sources. \n\nf. When CMD Wi-Fi Service is used, the following training will be completed: \n- Procedures for setting up a secure Wi-Fi connection and verifying the active connection is to a known access point. \n\n- Approved connection options (i.e., enterprise, home, etc.). \n\n- Requirements for home Wi-Fi connections. \n\n- The Wi-Fi radio will be disabled by the user whenever a Wi-Fi connection is not being used.\n\n- The Wi-Fi radio must never be enabled while the CMD is connected via a cable to a PC.\n\ng. Do not discuss FOUO or classified information on non-secure (devices whose cryptographic modules protecting data in transit are not FIPS 140-2 certified or NSA Type-1 certified for voice) cellular phones, cordless phones, and two-way radios used for voice communications. \n\nh. Do not connect PDAs, smartphones, and tablets to any workstation that stores, processes, or transmits classified data.. \n\ni. The installation of user owned applications, including geo-location aware applications, on the mobile device will be based on the Command\u2019s Mobile Device Personal Use Policy.\n\nj. The use of the mobile OS device to view and/or download personal email will be based the Command\u2019s Mobile Device Personal Use Policy.\n\nk. The download of user owned data (music files, picture files, etc.) on the mobile device will be based the Command\u2019s Mobile Device Personal Use Policy.\n\nl. All radios on the mobile device (Wi-Fi, Bluetooth, near-field communications (NFC)) must be turned off when not needed. This does not apply to radios supporting voice and data communication over a wireless carrier\u2019s cellular network, in which case continuous connectivity is permissible.\n\nm. Procedure on how to disable Location Services on the device. Location Services must be disabled for all applications or enabled only for applications approved by the AO for location based services.\n\nn. Connecting PDAs, smartphones, and tablets to any DoD workstation via a USB connection is prohibited. \n\nNote: Listing training requirements in the User Agreement is an acceptable procedure for informing/training users on many of the required training topics. \n\nCheck Procedures: \n- Review site CMD training material to see if it contains the required content. \nNote: Some training content may be listed in the User Agreement signed by the user. \n\n- Verify site training records show that CMD users received required training and training occurred before the user was issued a CMD. Check training records for approximately five users, picked at random.\n\nIf training material does not contain required content, this is a finding.\n",
"description": "Users are the first line of security controls for CMD systems. They must be trained in using CMD security controls or the system could be vulnerable to attack.",
"fixid": "F-27591r4_fix",
"fixtext": "Have all mobile device users complete training on required content. ",
"iacontrols": null,
"id": "V-24961",
"ruleID": "SV-30698r6_rule",
"severity": "low",
"title": "Mobile device users must complete training on required content before being provided mobile devices or allowed access to DoD networks with a mobile device.",
"version": "WIR-SPP-006-01"
},
"V-24962": {
"checkid": "C-31122r9_chk",
"checktext": "Detailed Policy Requirements: \n\nThe site (location where CMDs are issued and managed and the site where the mobile operating system (OS) based CMD management server is located) must publish procedures to follow if a CMD has been lost or stolen. The procedures should include (as appropriate):\n\n- Mobile device user notifies ISSO, SM, and other site personnel, as required by the site\u2019s Incident Response Plan, within the timeframe required by the site\u2019s Incident Response Plan. \n\n- The ISSO notifies the mobile device management server system administrator and other site personnel, as required by the site\u2019s Incident Response Plan, within the timeframe required by the site\u2019s Incident Response Plan. \n\nThe site mobile device management server administrator sends a wipe command to the CMD and then disables the user account on the management server or removes the CMD from the user account.\n\n- The site will contact the carrier to have the device deactivated on the carrier\u2019s network.\n\nCheck procedures: \nInterview the ISSO. \n\nReview the site\u2019s Incident Response Plan or other policies to determine if the site has a written plan of action.\n\nIf the site does not have a written plan of action following a lost or stolen CMD, this is a finding.",
"description": "Sensitive DoD data could be stored in memory on a DoD operated mobile operating system (OS) based CMD and the data could be compromised if required actions are not followed when a CMD is lost or stolen. Without procedures for lost or stolen mobile operating system (OS) based CMD devices, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.",
"fixid": "F-27603r2_fix",
"fixtext": "Publish procedures to follow if a mobile operating system (OS) based CMD is lost or stolen. ",
"iacontrols": null,
"id": "V-24962",
"ruleID": "SV-30699r6_rule",
"severity": "low",
"title": "The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen.",
"version": "WIR-SPP-007-01"
},
"V-24963": {
"checkid": "C-31126r7_chk",
"checktext": "Detailed Policy Requirements: \nThe CMD system administrator must perform a wipe command on all new or reissued CMDs, reload system software, and load a STIG-compliant security policy on the CMD before issuing it to DoD personnel and placing the device on a DoD network. The intent is to return the device to the factory state before the DoD software baseline is installed.\n\nWhen wireless activation is performed, the activation password is passed to the user in a secure manner (e.g., activation password is encrypted and emailed to an individual). \n\nCheck Procedures: \nInterview the ISSO. Verify required procedures are followed. If required procedures were not followed, this is a finding.",
"description": "Malware can be installed on the device at some point between shipping from the factory and delivery to DoD. The malware could result in the compromise of sensitive DoD information or result in the introduction of malware within the DoD network.",
"fixid": "F-27597r3_fix",
"fixtext": "Perform a wipe command on all new or reissued mobile devices.",
"iacontrols": null,
"id": "V-24963",
"ruleID": "SV-30700r5_rule",
"severity": "low",
"title": "The mobile device system administrator must perform a wipe command on all new or reissued CMDs and a STIG-compliant IT policy will be pushed to the device before issuing it to DoD personnel.",
"version": "WIR-SPP-008-01"
},
"V-24964": {
"checkid": "C-31127r8_chk",
"checktext": "Detailed Policy Requirements: \nSoftware updates must come from either DoD sources or DoD-approved sources. CMD system administrators should push OTA software updates from the CMD management server, when this feature is available. Otherwise the site administrator should verify the non-DoD source of the update has been approved by IT management. \n\nCheck Procedures: \nInterview the ISSO and CMD management server system administrator. \n\n-Verify the site mobile device handheld and mobile device management server administrators are aware of the requirements. \n\n-Determine what procedures are used at the site for installing software updates on site-managed CMDs.\n\nIf the site does not have procedures in place, so users can down-load software updates from a DoD source or DoD-approved source, this is a finding.",
"description": "Users must not accept Over-The-Air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and approved by the ISSO. Unauthorized/unapproved software updates could include malware or cause a degradation of the security posture of the CMD and DoD network infrastructure. All software updates should be reviewed and/or tested by the smartphone system administrator and originate from a DoD source or DoD-approved source. Wireless software updates should be pushed from the CMD management server, when this feature is available.",
"fixid": "F-27598r3_fix",
"fixtext": "Ensure CMD software updates originate from DoD sources or approved non-DoD sources only. Users do not accept Over-The-Air (OTA) wireless software updates from non-approved sources. ",
"iacontrols": [
"ECWN-1"
],
"id": "V-24964",
"ruleID": "SV-30701r4_rule",
"severity": "low",
"title": "Mobile device software updates must only originate from approved DoD sources.",
"version": "WIR-SPP-008-02"
},
"V-24969": {
"checkid": "C-31133r4_chk",
"checktext": "Interview the ISSO. Determine if any site mobile devices were reported lost or stolen within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. \n\nIf the site had a lost or stolen mobile device within the previous 24 months and required procedures were not followed, this is a finding. ",
"description": "If procedures for lost or stolen CMDs are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA.",
"fixid": "F-27592r3_fix",
"fixtext": "Follow required actions when a CMD is reported lost or stolen.",
"iacontrols": [
"ECSC-1"
],
"id": "V-24969",
"ruleID": "SV-30706r5_rule",
"severity": "low",
"title": "Required actions must be followed at the site when a CMD has been lost or stolen.",
"version": "WIR-SPP-007-02"
},
"V-28317": {
"checkid": "C-35165r7_chk",
"checktext": "This requirement applies to mobile operating system (OS) CMDs.\n\nAll CMD users must receive required training annually. If training records do not show users receiving required training at least annually, this is a finding.",
"description": "Users are the first line of security controls for CMD systems. They must be trained in using CMD security controls or the system could be vulnerable to attack. If training is not renewed on an annual basis, users may not be informed of new security procedures or may forget previously trained procedures, which could lead to an exposure of sensitive DoD information.",
"fixid": "F-30413r2_fix",
"fixtext": "Complete required training annually for all CMD users. ",
"iacontrols": [
"PETN-1"
],
"id": "V-28317",
"ruleID": "SV-36045r5_rule",
"severity": "low",
"title": "Mobile users must complete required training annually.",
"version": "WIR-SPP-006-02"
},
"V-32677": {
"checkid": "C-41050r9_chk",
"checktext": "Detailed Requirements:\nCore applications are applications included in the mobile device operating system. Applications added by the wireless carrier are not considered core applications. A security risk analysis must be performed by the AO or AO-approved approval authority prior to a mobile OS application being approved for use.\n\n- The application review and approval process must include an evaluation of what OS level permissions are required by the application and how the application shares data and memory space with other applications. The review process must also ensure:\n- Approved applications do not contain malware or share data stored on the mobile OS device with non-DoD servers.\n\nCheck Procedures:\n\n\n\nAsk the site for documentation showing what security risk analysis procedures are used by the AO prior to approving non-core applications for use.\n\nDetermine if the procedures include an evaluation of the following:\n- What OS level permissions are required by the application? \n- The application does not contain malware.\n- The application does not share data stored on the CMDs with non-DoD servers.\n- If the application stores sensitive data, the application data storage container uses FIPS 140-2 validated cryptographic module.\n\nIf a security review was not conducted on approved applications or the application security risk review procedures do not contain the required risk assessment evaluation tasks, this is a finding.\n",
"description": "Non-approved applications can contain malware. Approved applications should be reviewed and tested by the AO to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server).\n",
"fixid": "F-36582r3_fix",
"fixtext": "Have AO or Command IT CCB use the required procedures to review mobile applications prior to approving them.\n",
"iacontrols": null,
"id": "V-32677",
"ruleID": "SV-43023r4_rule",
"severity": "high",
"title": "A security risk analysis must be performed on a mobile application by the Authorizing Official (AO) or AO-authorized authority prior to the application being approved for use. \n",
"version": "WIR-SPP-021"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-24953": "true",
"V-24955": "true",
"V-24957": "true",
"V-24958": "true",
"V-24960": "true",
"V-24961": "true",
"V-24962": "true",
"V-24963": "true",
"V-24964": "true",
"V-24969": "true",
"V-28317": "true",
"V-32677": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-24953": "true",
"V-24955": "true",
"V-24957": "true",
"V-24958": "true",
"V-24960": "true",
"V-24961": "true",
"V-24962": "true",
"V-24963": "true",
"V-24964": "true",
"V-24969": "true",
"V-28317": "true",
"V-32677": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-24953": "true",
"V-24955": "true",
"V-24957": "true",
"V-24958": "true",
"V-24960": "true",
"V-24961": "true",
"V-24962": "true",
"V-24963": "true",
"V-24964": "true",
"V-24969": "true",
"V-28317": "true",
"V-32677": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-24953": "true",
"V-24955": "true",
"V-24957": "true",
"V-24958": "true",
"V-24960": "true",
"V-24961": "true",
"V-24962": "true",
"V-24963": "true",
"V-24964": "true",
"V-24969": "true",
"V-28317": "true",
"V-32677": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-24953": "true",
"V-24955": "true",
"V-24957": "true",
"V-24958": "true",
"V-24960": "true",
"V-24961": "true",
"V-24962": "true",
"V-24963": "true",
"V-24964": "true",
"V-24969": "true",
"V-28317": "true",
"V-32677": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-24953": "true",
"V-24955": "true",
"V-24957": "true",
"V-24958": "true",
"V-24960": "true",
"V-24961": "true",
"V-24962": "true",
"V-24963": "true",
"V-24964": "true",
"V-24969": "true",
"V-28317": "true",
"V-32677": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-24953": "true",
"V-24955": "true",
"V-24957": "true",
"V-24958": "true",
"V-24960": "true",
"V-24961": "true",
"V-24962": "true",
"V-24963": "true",
"V-24964": "true",
"V-24969": "true",
"V-28317": "true",
"V-32677": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-24953": "true",
"V-24955": "true",
"V-24957": "true",
"V-24958": "true",
"V-24960": "true",
"V-24961": "true",
"V-24962": "true",
"V-24963": "true",
"V-24964": "true",
"V-24969": "true",
"V-28317": "true",
"V-32677": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-24953": "true",
"V-24955": "true",
"V-24957": "true",
"V-24958": "true",
"V-24960": "true",
"V-24961": "true",
"V-24962": "true",
"V-24963": "true",
"V-24964": "true",
"V-24969": "true",
"V-28317": "true",
"V-32677": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "commercial_mobile_device_cmd_policy",
"title": "Commercial Mobile Device (CMD) Policy Security Technical Implementation Guide (STIG)",
"version": "2"
}
}