The site must have a Personal Use Policy for site/Command managed or owned mobile devices (smartphones and tablets) approved by the site DAA.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-30416	WIR-SPP-015	SV-40121r1_rule	ECWN-1	Low

Description
Malware can be introduced on a DoD enclave via personally owned applications and personal web site accounts. In addition, sensitive DoD data could be exposed by the same malware.

STIG	Date
General Mobile Device Policy (Non-Enterprise Activated) Security Technical Implementation Guide	2013-07-03

Details

Check Text ( C-39068r1_chk )
Detailed Policy Requirements: The local site and/or Command must publish a Personal Use Policy for site/Command managed or owned mobile devices (smartphones and tablets). The policy will provide information on allowed personal use of site/Command mobile devices, including devices approved for the connection to DoD networks and processing of sensitive data and for devices not approved for the connection to DoD networks and processing of DoD data (for example, non-enterprise activated devices). The policy will be approved by the DAA based on a risk based assessment. The assessment will consider costs to the command that could result from additional wireless service charges from personal usage of the device. The policy will cover the following topics: -Installation of user owned and free commercial applications; -Viewing and/or downloading personal email; -Download of user owed data (music files, picture files, etc.); -Connections to user social media accounts; -The use of geo-location aware applications that save or transmit the location of the device. The use of geo-location aware applications should be based on an Operational Security (OPSEC) risk assessment. -Connecting DoD managed mobile devices to personally owned computers. (For example, a personally owned computer used to download personally owned files to the mobile device.) Check Procedures: Interview the IAO and determine if the site has a Personal Use Policy for site/Command managed or owned mobile devices (smartphones and tablets). Verify the policy has been signed or otherwise approved by the site DAA. Mark as a finding if a Personal Use Policy for site/Command managed or owned mobile devices (smartphones and tablets) does not exist or is not approved by the DAA.

Check Text ( C-39068r1_chk )

Detailed Policy Requirements:
The local site and/or Command must publish a Personal Use Policy for site/Command managed or owned mobile devices (smartphones and tablets).

The policy will provide information on allowed personal use of site/Command mobile devices, including devices approved for the connection to DoD networks and processing of sensitive data and for devices not approved for the connection to DoD networks and processing of DoD data (for example, non-enterprise activated devices). The policy will be approved by the DAA based on a risk based assessment. The assessment will consider costs to the command that could result from additional wireless service charges from personal usage of the device.

The policy will cover the following topics:

-Installation of user owned and free commercial applications;
-Viewing and/or downloading personal email;
-Download of user owed data (music files, picture files, etc.);
-Connections to user social media accounts;
-The use of geo-location aware applications that save or transmit the location of the device. The use of geo-location aware applications should be based on an Operational Security (OPSEC) risk assessment.
-Connecting DoD managed mobile devices to personally owned computers. (For example, a personally owned computer used to download personally owned files to the mobile device.)

Check Procedures:

Interview the IAO and determine if the site has a Personal Use Policy for site/Command managed or owned mobile devices (smartphones and tablets).

Verify the policy has been signed or otherwise approved by the site DAA.

Mark as a finding if a Personal Use Policy for site/Command managed or owned mobile devices (smartphones and tablets) does not exist or is not approved by the DAA.

Fix Text (F-34179r1_fix)
Write a Personal Use Policy for site/Command managed or owned mobile devices (smartphones and tablets) and get DAA approval of the policy.