| V-12072 | High | Wireless devices must not be allowed in a permanent, temporary, or mobile Sensitive Compartmented Information Facilities (SCIFs), unless approved by the SCIF Cognizant Security Authority (CSA) in accordance with Intelligence Community Directive 503 and Director Central Intelligence Directive (DCID) 6/9, the DAA, and the site Special Security Officer (SSO).
| Emanations from computing devices in the secured area may be transmitted or picked up inadvertently by wireless devices. |
| V-8283 | High | All wireless/mobile systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) must be approved by the approval authority prior to installation and use for processing DoD information.
| Unauthorized wireless systems expose DoD networks to attack. The DAA and appropriate commanders must be aware of all wireless systems used at the site. DAAs should ensure a risk assessment for... |
| V-24957 | High | If a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site must follow required data spill procedures. | If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel. |
| V-36594 | High | A Secure WLAN (SWLAN) connected to the SIPRNet must have a SIPRNet connection approval package on file with the Classified Connection Approval Office (CCAO). | The CCAO approval process provides assurance that the SWLAN use is appropriate and does not introduce unmitigated risks into the SIPRNET. |
| V-36590 | High | The site must successfully complete a security assessment of the CSfC based campus WLAN system to confirm compliance with the CSfC Campus WLAN Capability Package prior to IOC and yearly thereafter. | Classified data could be exposed if the campus WLAN system is operated out of compliance with the Commercial Solutions for Classified (CSfC) Campus IEEE 802.11 Wireless Local Area Network (WLAN)... |
| V-36593 | Medium | If Commercial Mobile Devices (CMD) (smartphones or tablets) are used as clients in the campus WLAN system, DoD CIO Memorandum, Use of Commercial Mobile Device (CMD) in the Department of Defense (DoD) must be followed. | DoD CIO Memorandum, “Use of Commercial Mobile Device (CMD) in the Department of Defense (DoD)”, 6 Apr 2011, requires specific security controls be implemented in the DoD because these technologies... |
| V-24955 | Medium | A data spill (Classified Message Incident (CMI)) procedure or policy must be published for site CMDs. | When a data spill occurs on a CMD, classified or sensitive data must be protected to prevent disclosure. After a data spill, the CMD must either be wiped using approved procedures, or destroyed if... |
| V-13982 | Low | All users of mobile devices or wireless devices must sign a user agreement before the mobile or wireless device is issued to the user and the user agreement used at the site must include required content. | Lack of user training and understanding of responsibilities to safeguard wireless technology is a significant vulnerability to the enclave. Once policies are established, users must be trained to... |
| V-36592 | Low | User training must include required topics. | Classified data could be exposed if users of client devices, that are components a campus WLAN system that is based on the CSfC Campus IEEE 802.11 Wireless Local Area Network (WLAN) Capability... |
| V-24958 | Low | Required procedures must be followed for the disposal of CMDs. | If appropriate procedures are not followed prior to disposal of a CMD, an adversary may be able to obtain sensitive DoD information or learn aspects of the configuration of the device that might... |
| V-8297 | Low | Wireless devices connecting directly or indirectly to the network must be included in the site security plan. | The DAA and site commander must be aware of all approved wireless devices used at the site or DoD data could be exposed to unauthorized people. Documentation of the enclave configuration must... |
| V-8284 | Low | The site IAO must maintain a list of all DAA-approved wireless and non-wireless PED devices that store, process, or transmit DoD information. | The site must maintain a list of all DAA-approved wireless and non-wireless CMDs. Close tracking of authorized wireless devices will facilitate the search for rogue devices. Sites must keep good... |
| V-24969 | Low | Required actions must be followed at the site when a CMD has been lost or stolen. | If procedures for lost or stolen CMDs are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA. |
| V-24962 | Low | The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen. | Sensitive DoD data could be stored in memory on a DoD operated mobile operating system (OS) based CMD and the data could be compromised if required actions are not followed when a CMD is lost or... |
