V-3512 | High | NSA Type1 products and required procedures must be used to protect classified data at rest (DAR) on wireless devices used on a classified WLAN or WMAN. | NSA Type 1 products provide a high level of assurance that cryptography is implemented correctly and meets the standards for storage of classified information. Use of cryptography that is not... |
V-30369 | High | SWLAN must be rekeyed at least every 90 days. | The longer a key remains in use, the more likely it will be compromised. If an adversary can compromise an SWLAN key, then it can obtain classified information. |
V-15300 | High | Any wireless technology used to transmit classified information must be an NSA Type 1 product. | NSA Type 1 certification provides the level of assurance required for transmission of classified data. Systems without this certification are more likely to be compromised by a determined and... |
V-18582 | High | A Secure WLAN (SWLAN) connected to the SIPRNet must have a SIPRNet connection approval package must be on file with the Classified Connection Approval Office (CCAO). | The CCAO approval process provides assurance that the SWLAN use is appropriate and does not introduce unmitigated risks into the SIPRNET. |
V-4636 | High | A Secure WLAN (SWLAN) must conform to an approved network architecture. | Approved network architectures have been assessed for IA risk. Non-approved architectures provide less assurance than approved architectures because they have not undergone the same level of evaluation. |
V-14886 | Medium | Wireless access points and bridges must be placed in dedicated subnets outside the enclave’s perimeter. | If an adversary is able to compromise an access point or controller that is directly connected to an enclave network, then the adversary can easily surveil and attack other devices from that... |
V-18584 | Medium | Physical security controls must be implemented for SWLAN access points. | If an adversary is able to gain physical access to a SWLAN device, it may be able to compromise the device in a variety of ways, some of which could enable the adversary to obtain classified data.... |
V-14002 | Medium | A device’s wired network interfaces (e.g., Ethernet) must be disconnected or otherwise disabled when wireless connections are in use. | If a client device supports simultaneous use of wireless and wired connections, then this increases the probability that an adversary who can access the device using its wireless interface can... |
V-18583 | Medium | Before a Secure WLAN (SWLAN) becomes operational and is connected to the SIPRNet the Certified TEMPEST Technical Authority (CTTA) must be notified. | Wireless signals are extremely vulnerable to both detection and interception, which can provide an adversary with the location and intensity of particular DoD activities and potentially reveal... |
V-14846 | Low | WLAN SSIDs must be changed from the manufacturer’s default to a pseudo random word that does not identify the unit, base, organization, etc. | An SSID identifying the unit, site or purpose of the WLAN or is set to the manufacturer default may cause an OPSEC vulnerability. |
V-30359 | Low | SWLAN access points must implement MAC filtering. | Medium access control (MAC) filtering is a mechanism for ensuring that only authorized devices connect to the WLAN. While there are other methods to achieve similar protection with greater... |
V-7075 | Low | The site must have written procedures for the protection, handling, accounting, and use of NSA Type 1 products. | Written procedures provide assurance that personnel take the required steps to prevent loss of keys or other breaches of system security. |