| V-24960 | High | Mobile operating system (OS) based mobile devices and systems must not be used to send, receive, store, or process classified messages unless specifically approved by NSA for such purposes and NSA approved transmission and storage methods are used. | DoDD 8100.2 states wireless devices will not be used for classified data unless approved for such use. Classified data could be exposed to unauthorized personnel. |
| V-8283 | High | All wireless/mobile systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) must be approved by the approval authority prior to installation and use for processing DoD information.
| Unauthorized wireless systems expose DoD networks to attack. The Authorizing Official (AO) and appropriate commanders must be aware of all wireless systems used at the site. AOs should ensure a... |
| V-24957 | High | If a data spill (Classified Message Incident (CMI)) occurs on a mobile device, the site must follow required data spill procedures. | If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel. |
| V-32677 | High | A security risk analysis must be performed on a mobile application by the Authorizing Official (AO) or AO-authorized authority prior to the application being approved for use.
| Non-approved applications can contain malware. Approved applications should be reviewed and tested by the AO to ensure they do not contain malware, spyware, or have unexpected features (e.g., send... |
| V-19813 | High | Computers with an embedded wireless system must have the radio removed or otherwise physically disable the radio hardware before the computer is used to transfer, receive, store, or process classified information, unless the wireless system has been certified via the DoD Commercial Solutions for Classified (CSfC) program. | With the increasing popularity of wireless networking, most laptops have wireless NICs (network interface cards) installed on the laptop motherboard. Although the system administrator may disable... |
| V-24955 | Medium | Publish data spill procedures for mobile devices | When a data spill occurs on a mobile device, classified or sensitive data must be protected to prevent disclosure. After a data spill, the mobile device must either be wiped using approved... |
| V-94847 | Medium | Personally owned or contractor owned mobile devices must not be used to transmit, receive, store, or process DoD information or connect to DoD networks. | The use of unauthorized personally-owned CMDs to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized people. The DoD CIO currently prohibits the use of... |
| V-94851 | Medium | Unclassified wireless devices must not be operated in Secure Spaces (as defined in DoDI 8420.01) unless required conditions are followed. | The operation of electronic equipment and emanations must be controlled in and around areas where sensitive information is kept or processed. Sites should post signs and train users to this... |
| V-94849 | Low | All users of mobile devices or wireless devices must sign a user agreement before the mobile or wireless device is issued to the user and the user agreement used at the site must include required content. | Lack of user training and understanding of responsibilities to safeguard wireless technology is a significant vulnerability to the enclave. Once policies are established, users must be trained to... |
| V-24964 | Low | Mobile device software updates must only originate from approved DoD sources. | Users must not accept Over-The-Air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and approved by the ISSO.... |
| V-24963 | Low | The mobile device system administrator must perform a wipe command on all new or reissued mobile devices and a STIG-compliant IT policy will be pushed to the device before issuing it to DoD personnel. | Malware can be installed on the device at some point between shipping from the factory and delivery to DoD. The malware could result in the compromise of sensitive DoD information or result in... |
| V-24961 | Low | Mobile device users must complete training on required content before being provided mobile devices or allowed access to DoD networks with a mobile device. | Users are the first line of security controls for CMD systems. They must be trained in using CMD security controls or the system could be vulnerable to attack. |
| V-24958 | Low | Required procedures must be followed for the disposal of mobile devices. | If appropriate procedures are not followed prior to disposal of a mobile device, an adversary may be able to obtain sensitive DoD information or learn aspects of the configuration of the device... |
| V-24953 | Low | Site physical security policy must include a statement outlining whether mobile devices with digital cameras (still and video) are permitted or prohibited on or in this DoD facility. | Mobile devices with cameras are easily used to photograph sensitive information and areas if not addressed. Sites must establish, document, and train on how to mitigate this threat. |
| V-24969 | Low | Required actions must be followed at the site when a mobile device has been lost or stolen. | If procedures for lost or stolen mobile devices are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA. |
| V-24962 | Low | The site Incident Response Plan or other procedure must include procedures to follow when a mobile operating system (OS) based mobile device is reported lost or stolen. | Sensitive DoD data could be stored in memory on a DoD operated mobile operating system (OS) based mobile device and the data could be compromised if required actions are not followed when a ... |
| V-28317 | Low | Mobile users must complete required training annually. | Users are the first line of security controls for mobile device systems. They must be trained in using mobile device security controls or the system could be vulnerable to attack. If training is... |
