UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

If DAA has approved the use of personally-owned or contractor-owned PEDs, the owner must sign a forfeiture agreement in case of a security incident.


Overview

Finding ID Version Rule ID IA Controls Severity
V-28314 WIR0010-02 SV-36042r3_rule ECSC-1 ECWN-1 Low
Description
The use of unauthorized personally-owned or contractor-owned wireless devices to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized people. The use of personally-owned/contractor-owned PEDs must be controlled by the site. Users must agree to forfeit the PED when security incidents occur, follow all required security procedures, and install required software in order to protect the DoD network.
STIG Date
General Wireless Policy Security Technical Implementation Guide 2012-09-21

Details

Check Text ( C-35839r5_chk )
When personally-owned PEDs are used to transmit, receive, store, or process DoD information, the owner must sign a forfeiture agreement in case of a security incident.

The reviewer should obtain a copy of the signed forfeiture agreement for a sample of users (2-3) that have been approved to use personally-owned devices. The forfeiture agreement must state the user agrees to forfeit the device to the DoD for sanitization or destruction if a security incident has occurred on the device.

Mark as a finding if signed forfeiture agreements are not available.
Fix Text (F-30411r1_fix)
If the DAA has approved the use of personally-owned PEDs, have the owner sign a forfeiture agreement in case of a security incident.