DAA must approve the use of personally-owned or contractor-owned PEDs used to transmit, receive, store, or process DoD information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15782	WIR0010-01	SV-16721r3_rule	ECSC-1 ECWN-1	Medium

Description
The use of unauthorized personally-owned wireless devices to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized people. The use of personally-owned PEDs must be controlled by the site. Users must agree to forfeit the PED when security incidents occur, follow all required security procedures, and install required software in order to protect the DoD network. If personally-owned wireless smartphones/tablets are allowed they must process and store FOUO data in a container that utilizes a FIPS 140-2 validated cryptographic module for both data-in-transit, as well as data-at-rest.

Description

The use of unauthorized personally-owned wireless devices to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized people. The use of personally-owned PEDs must be controlled by the site. Users must agree to forfeit the PED when security incidents occur, follow all required security procedures, and install required software in order to protect the DoD network. If personally-owned wireless smartphones/tablets are allowed they must process and store FOUO data in a container that utilizes a FIPS 140-2 validated cryptographic module for both data-in-transit, as well as data-at-rest.

STIG	Date
General Wireless Policy Security Technical Implementation Guide	2012-07-20

Details

Check Text ( C-15968r4_chk )
Personally-owned or contractor-owned devices will not be used to access DoD restricted resources and information without DAA approval. Users should be trained on this requirement, configuration management procedures should be followed, and the devices must meet DoD security policies and standards. Interview the IAO. 1. Ask if users are using personally-owned or contractor-owned devices, such as PDAs, BlackBerrys, laptops, smartphones, tablets, or home computers to access sensitive enclave resources. 2. If personally-owned/contractor-owned devices are allowed, verify written DAA approval exists and the SSP is annotated that personally-owned/contractor-owned devices are allowed. Mark as a finding if personally-owned devices are used but the DAA has not approved their use. Hint: This check includes any non-DoD owned or approved devices, such as computers, PEDs/PDAs, and wireless NICs. This applies to administrative and end-user access. Use for end-user is discouraged but may be approved by the DAA.

Check Text ( C-15968r4_chk )

Personally-owned or contractor-owned devices will not be used to access DoD restricted resources and information without DAA approval. Users should be trained on this requirement, configuration management procedures should be followed, and the devices must meet DoD security policies and standards.
Interview the IAO.

1. Ask if users are using personally-owned or contractor-owned devices, such as PDAs, BlackBerrys, laptops, smartphones, tablets, or home computers to access sensitive enclave resources.
2. If personally-owned/contractor-owned devices are allowed, verify written DAA approval exists and the SSP is annotated that personally-owned/contractor-owned devices are allowed.

Mark as a finding if personally-owned devices are used but the DAA has not approved their use.

Hint: This check includes any non-DoD owned or approved devices, such as computers, PEDs/PDAs, and wireless NICs. This applies to administrative and end-user access. Use for end-user is discouraged but may be approved by the DAA.

Fix Text (F-4558r1_fix)
Prohibit use of personally-owned devices or get required approvals (by DAA). Personally-owned devices will not be used to access DoD restricted resources and information without DAA approval. Users should be trained on this requirement, configuration management procedures should be followed, and the devices must meet DoD security policies and standards.