UCF STIG Viewer Logo

Mobile Device Policy Security Technical Implementation Guide (STIG)


Date Finding Count (17)
2019-05-21 CAT I (High): 5 CAT II (Med): 3 CAT III (Low): 9
STIG Description
This STIG provides policy, training, and operating procedure security controls for the use of mobile devices and systems in the DoD environment. This STIG applies to any mobile operating system device used to store, process, transmit, or receive DoD information. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles

Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-24960 High Mobile operating system (OS) based mobile devices and systems must not be used to send, receive, store, or process classified messages unless specifically approved by NSA for such purposes and NSA approved transmission and storage methods are used.
V-8283 High All wireless/mobile systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) must be approved by the approval authority prior to installation and use for processing DoD information.
V-24957 High If a data spill (Classified Message Incident (CMI)) occurs on a mobile device, the site must follow required data spill procedures.
V-32677 High A security risk analysis must be performed on a mobile application by the Authorizing Official (AO) or AO-authorized authority prior to the application being approved for use.
V-19813 High Computers with an embedded wireless system must have the radio removed or otherwise physically disable the radio hardware before the computer is used to transfer, receive, store, or process classified information, unless the wireless system has been certified via the DoD Commercial Solutions for Classified (CSfC) program.
V-24955 Medium Publish data spill procedures for mobile devices
V-94847 Medium Personally owned or contractor owned mobile devices must not be used to transmit, receive, store, or process DoD information or connect to DoD networks.
V-94851 Medium Unclassified wireless devices must not be operated in Secure Spaces (as defined in DoDI 8420.01) unless required conditions are followed.
V-94849 Low All users of mobile devices or wireless devices must sign a user agreement before the mobile or wireless device is issued to the user and the user agreement used at the site must include required content.
V-24964 Low Mobile device software updates must only originate from approved DoD sources.
V-24963 Low The mobile device system administrator must perform a wipe command on all new or reissued mobile devices and a STIG-compliant IT policy will be pushed to the device before issuing it to DoD personnel.
V-24961 Low Mobile device users must complete training on required content before being provided mobile devices or allowed access to DoD networks with a mobile device.
V-24958 Low Required procedures must be followed for the disposal of mobile devices.
V-24953 Low Site physical security policy must include a statement outlining whether mobile devices with digital cameras (still and video) are permitted or prohibited on or in this DoD facility.
V-24969 Low Required actions must be followed at the site when a mobile device has been lost or stolen.
V-24962 Low The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen.
V-28317 Low Mobile users must complete required training annually.