UCF STIG Viewer Logo

General Mobile Device Policy (Non-Enterprise Activated) Security Technical Implementation Guide


Date Finding Count (17)
2013-07-03 CAT I (High): 4 CAT II (Med): 4 CAT III (Low): 9
STIG Description
This STIG provides policy, training, and operating procedure security controls for the use of mobile devices (smartphone and tablets) that are not authorized to be connected to a DoD network or store or process sensitive or classified DoD data/information. Non-enterprise activated refers to any device that is operated under the use conditions found in Section 2.1 of the STIG overview document. See section 1.1 of the STIG overview document for additional information.

Available Profiles

Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-24960 High Mobile operating system (OS) based CMDs and systems must not be used to send, receive, store, or process classified messages unless specifically approved by NSA for such purposes and NSA approved transmission and storage methods are used.
V-8283 High All wireless/mobile systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) must be approved by the approval authority prior to installation and use for processing DoD information.
V-24957 High If a data spill (Classified Message Incident (CMI)) occurs on a wireless email device or system at a site, the site must follow required data spill procedures.
V-30413 High Smartphones and tablets classified as non-enterprise activated must not be connected to a DoD network.
V-24955 Medium A data spill (Classified Message Incident (CMI)) procedure or policy must be published for site CMDs.
V-15782 Medium Personnally owned or contractor owned CMDs must not be used to transmit, receive, store, or process DoD information or connect to DoD networks.
V-30414 Medium A written policy and training material must exist that states smartphones/tablets that are classified as non-enterprise activated must not be used to send, receive, store, or process sensitive/FOUO data and information.
V-30415 Medium A written policy and training material must exist that states smartphones/tablets classified as non-enterprise activated must not access DoD email systems.
V-13982 Low All users of mobile devices or wireless devices must sign a user agreement before the mobile or wireless device is issued to the user and the user agreement used at the site must include required content.
V-24961 Low Mobile device users must complete training on required content before being provided mobile devices or allowed access to DoD networks with a mobile device.
V-24958 Low Required procedures must be followed for the disposal of CMDs.
V-24953 Low Site physical security policy must include a statement outlining whether CMDs with digital cameras (still and video) are permitted or prohibited on or in this DoD facility.
V-24969 Low Required actions must be followed at the site when a CMD has been lost or stolen.
V-8284 Low The site IAO must maintain a list of all DAA-approved wireless and non-wireless PED devices that store, process, or transmit DoD information.
V-24962 Low The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen.
V-28317 Low Mobile users must complete required training annually.
V-30416 Low The site must have a Personal Use Policy for site/Command managed or owned mobile devices (smartphones and tablets) approved by the site DAA.