| V-24960 ||High ||Mobile operating system (OS) based smartphone and tablet devices and systems must not be used to send, receive, store, or process classified messages unless specifically approved by NSA for such purposes and NSA approved transmission and storage methods are used. ||DoDD 8100.2 states wireless devices will not be used for classified data unless approved for such use. Classified data could be exposed to unauthorized personnel. |
| V-8283 ||High ||All wireless systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) must be approved by the approval authority prior to installation and use for processing DoD information.
||Unauthorized wireless systems expose DoD networks to attack. The DAA and appropriate commanders must be aware of all wireless systems used at the site. DAAs should ensure a risk assessment for... |
| V-24957 ||High ||If a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site must follow required data spill procedures. ||If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel. |
| V-30413 ||High ||Smartphones and tablets classified as non-enterprise activated must not be connected to a DoD network. ||Some smartphones and tablets, including some models of Windows 7, Android, iOS, and BlackBerry smartphones and tablets, are not authorized to connect to DoD networks or to DoD PCs that will be... |
| V-24955 ||Medium ||A data spill (Classified Message Incident (CMI)) procedure or policy must be published for site smartphones and tablets. ||When a data spill occurs on a smartphone/tablet, classified or sensitive data must be protected to prevent disclosure. After a data spill, the smartphone/tablet must either be wiped using approved... |
| V-15782 ||Medium ||DAA must approve the use of personally-owned or contractor-owned PEDs used to transmit, receive, store, or process DoD information. ||The use of unauthorized personally-owned wireless devices to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized people. The use of personally-owned PEDs... |
| V-30414 ||Medium ||A written policy and training material must exist that states smartphones/tablets that are classified as non-enterprise activated must not be used to send, receive, store, or process sensitive/FOUO data and information. ||Some mobile devices, including some models of Windows 7, Android, iOS, and BlackBerry smartphones and tablets, are not authorized to store or process sensitive DoD data and information because... |
| V-30415 ||Medium ||A written policy and training material must exist that states smartphones/tablets classified as non-enterprise activated must not access DoD email systems. ||Some mobile devices, including some models of Windows 7, Android, iOS, and BlackBerry smartphones and tablets, are not authorized to connect to DoD email systems, because they do not have required... |
| V-13982 ||Low ||All users of mobile devices or wireless devices must sign a user agreement before the mobile or wireless device is issued to the user and the user agreement used at the site must include required content. ||Lack of user training and understanding of responsibilities to safeguard wireless technology is a significant vulnerability to the enclave. Once policies are established, users must be trained to... |
| V-28314 ||Low ||If DAA has approved the use of personally-owned or contractor-owned PEDs, the owner must sign a forfeiture agreement in case of a security incident.
||The use of unauthorized personally-owned or contractor-owned wireless devices to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized people. The use of... |
| V-24961 ||Low ||Smartphone users must complete required training. ||Users are the first line of security controls for smartphone systems. They must be trained in using smartphone security controls or the system could be vulnerable to attack. |
| V-24958 ||Low ||Required procedures must be followed for the disposal of smartphones. ||If appropriate procedures are not followed prior to disposal of a smartphone, an adversary may be able to obtain sensitive DoD information or learn aspects of the configuration of the device that... |
| V-24953 ||Low ||Site physical security policy must include a statement if PDAs and smartphones with digital cameras (still and video) are permitted or prohibited on or in this DoD facility. ||Mobile devices with cameras are easily used to photograph sensitive information and areas if not addressed. Sites must establish, document, and train on how to mitigate this threat. |
| V-24969 ||Low ||Required actions must be followed at the site when a smartphone has been lost or stolen. ||If procedures for lost or stolen smartphones/tablets are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA. |
| V-8284 ||Low ||The site IAO must maintain a list of all DAA-approved wireless and non-wireless PED devices that store, process, or transmit DoD information. ||The site must maintain a list of all DAA-approved wireless and non-wireless PEDs. Close tracking of authorized wireless devices will facilitate the search for rogue devices. Sites must keep good... |
| V-24962 ||Low ||The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based smartphone or tablet device is reported lost or stolen. ||Sensitive DoD data could be stored in memory on a DoD operated mobile operating system (OS) based Smartphone and tablet device and the data could be compromised if required actions are not... |
| V-28317 ||Low ||Smartphone/tablet users must complete required training annually.
||Users are the first line of security controls for smartphone/tablet systems. They must be trained in using smartphone security controls or the system could be vulnerable to attack. If training is... |
| V-30416 ||Low ||The site must have a Personal Use Policy for site/Command managed or owned mobile devices (smartphones and tablets) approved by the site DAA. ||Malware can be introduced on a DoD enclave via personally owned applications and personal web site accounts. In addition, sensitive DoD data could be exposed by the same malware. |