|NSA Type1 products and required procedures must be used to protect classified data at rest (DAR) on wireless devices used on a classified WLAN or WMAN.
|NSA Type 1 products provide a high level of assurance that cryptography is implemented correctly and meets the standards for storage of classified information. Use of cryptography that is not...
|Only supported versions of the Harris SecNet 11/54 should be used.
|If an unsupported version of the Harris SecNet wireless router is being used, the device is not being updated with security patches and may contain vulnerabilities that may expose classified data...
|SWLAN must be rekeyed at least every 90 days.
|The longer a key remains in use, the more likely it will be compromised. If an adversary can compromise an SWLAN key, then it can obtain classified information.
|Any wireless technology used to transmit classified information must be an NSA Type 1 product.
|NSA Type 1 certification provides the level of assurance required for transmission of classified data. Systems without this certification are more likely to be compromised by a determined and...
|A Secure WLAN (SWLAN) connected to the SIPRNet must have a SIPRNet connection approval package must be on file with the Classified Connection Approval Office (CCAO).
|The CCAO approval process provides assurance that the SWLAN use is appropriate and does not introduce unmitigated risks into the SIPRNET.
|A Secure WLAN (SWLAN) must conform to an approved network architecture.
|Approved network architectures have been assessed for IA risk. Non-approved architectures provide less assurance than approved architectures because they have not undergone the same level of evaluation.
|Wireless access points and bridges must be placed in dedicated subnets outside the enclave’s perimeter.
|If an adversary is able to compromise an access point or controller that is directly connected to an enclave network, then the adversary can easily surveil and attack other devices from that...
|Physical security controls must be implemented for SWLAN access points.
|If an adversary is able to gain physical access to a SWLAN device, it may be able to compromise the device in a variety of ways, some of which could enable the adversary to obtain classified data....
|A device’s wired network interfaces (e.g., Ethernet) must be disconnected or otherwise disabled when wireless connections are in use.
|If a client device supports simultaneous use of wireless and wired connections, then this increases the probability that an adversary who can access the device using its wireless interface can...
|Before a Secure WLAN (SWLAN) becomes operational and is connected to the SIPRNet the Certified TEMPEST Technical Authority (CTTA) must be notified.
|Wireless signals are extremely vulnerable to both detection and interception, which can provide an adversary with the location and intensity of particular DoD activities and potentially reveal...
|WLAN SSIDs must be changed from the manufacturer’s default to a pseudo random word that does not identify the unit, base, organization, etc.
|An SSID identifying the unit, site or purpose of the WLAN or is set to the manufacturer default may cause an OPSEC vulnerability.
|SWLAN access points must implement MAC filtering.
|Medium access control (MAC) filtering is a mechanism for ensuring that only authorized devices connect to the WLAN. While there are other methods to achieve similar protection with greater...
|The site must have written procedures for the protection, handling, accounting, and use of NSA Type 1 products.
|Written procedures provide assurance that personnel take the required steps to prevent loss of keys or other breaches of system security.