UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Mobile Policy Security Requirements Guide


Overview

Date Finding Count (93)
2012-10-10 CAT I (High): 11 CAT II (Med): 52 CAT III (Low): 30
STIG Description
The Mobile Policy Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
SRG-MPOL-044 High The organization must not use DoD-issued software certificates for Non-enterprise activated CMDs.
SRG-MPOL-088 High The organization's physical security policy must state that CMD cameras must not be allowed in any SCIF or other areas where classified documents or information is stored, transmitted, or processed.
SRG-MPOL-010 High The organization must remove the radio on computers with an embedded wireless system before the computer is used to transfer, receive, store, or process classified information.
SRG-MPOL-012 High The organization must ensure all wireless systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) are approved by the approval authority prior to installation and use for processing DoD information.
SRG-MPOL-015 High The organization must maintain a SIPRNet connection approval package with the Classified Connection Approval Office when connecting a Secure WLAN to SIPRNet.
SRG-MPOL-092 High The organization must develop procedures for ensuring mobile operating systems, mobile applications, and mobile device management agents on managed mobile devices are updated within an organization-defined period after the updates/patches are available.
SRG-MPOL-065 High The organization must not use mobile operating system (OS) based smartphone and tablet devices and systems to send, receive, store, or process classified messages unless specifically approved by NSA for such purposes and NSA-approved transmission and storage methods are used.
SRG-MPOL-067 High The organization must not use wireless personal area network devices and near field communications (NFC), such as Bluetooth and ZigBee, to send, receive, store, or process classified information.
SRG-MPOL-061 High The organization must follow the incident handling policy if classified information is found on mobile devices.
SRG-MPOL-063 High The organization must not permit CMDs Sensitive Compartmented Information Facilities (SCIFs), unless approved by the DAA and SCIF Cognizant Security Authority (CSA) in accordance with Intelligence Community Directive 503 and Intelligence Community Standard (ICS) 705.1.
SRG-MPOL-069 High The organization must not permit non-enterprise activated CMD to connect to DoD networks.
SRG-MPOL-042 Medium The organization must have a CMD Personal Use Policy that specifies restrictions on the use of personal email.
SRG-MPOL-040 Medium The organization must establish usage restrictions for organization-controlled portable and mobile devices.
SRG-MPOL-041 Medium The organization must have a CMD Personal Use Policy that specifies what types of personal files are permitted on the device.
SRG-MPOL-046 Medium The organization must not process or store official DoD email on Non-enterprise activated CMDs.
SRG-MPOL-047 Medium The organization must establish implementation guidance for organization-controlled portable and mobile devices.
SRG-MPOL-045 Medium The organization must not use DoD networks to transfer information with non-enterprise activated CMDs.
SRG-MPOL-048 Medium The organization must establish standard operating procedures for provisioning mobile devices.
SRG-MPOL-059 Medium The organization must apply organization defined inspection and preventative measures to mobile devices returning from locations the organization deems to be of significant risk to DoD information systems.
SRG-MPOL-058 Medium The organization must define locations the organization deems to be of significant risk to DoD information systems, in accordance with organizational policies and procedures.
SRG-MPOL-055 Medium The organization must make a risk-based determination, prior to installation of CMD applications on non-enterprise activated CMDs.
SRG-MPOL-054 Medium The organization must perform a security risk analysis on a mobile operating system (OS) application by the DAA or DAA-authorized approval authority prior to the application being approved for use.
SRG-MPOL-057 Medium The organization must not permit NEA CMD to connect to DoD devices containing sensitive information.
SRG-MPOL-056 Medium The organization must authorize connection of mobile devices to organizational information systems.
SRG-MPOL-050 Medium The organization must develop policy that ensures CMDs' software updates originate from only approved DoD sources.
SRG-MPOL-053 Medium The organization must obtain approval from the DAA or Command IT Configuration Control Board prior to installing a software application on a mobile device.
SRG-MPOL-052 Medium The organization must develop policy to restrict smartphone Instant Messaging (IM) client applications to connect to only security-compliant, DoD-controlled IM servers.
SRG-MPOL-020 Medium The organization's wireless LAN must use Extension Authentication Protocol - Transport Layer Security (EAP-TLS).
SRG-MPOL-021 Medium The organization's WLAN implementation of EAP-TLS must be FIPS 140-2 validated.
SRG-MPOL-022 Medium The organization must monitor for unauthorized wireless access DoD networks.
SRG-MPOL-023 Medium The organization must conduct continuous wireless IDS scanning at each of its sites.
SRG-MPOL-024 Medium The organization must authorize wireless access to the information system prior to connection.
SRG-MPOL-025 Medium The organization's DAA must approve the use of personally-owned or contractor-owned commercial mobile devices (CMDs) used to transmit, receive, store, or process DoD information.
SRG-MPOL-039 Medium The organization must confine wireless communications to organization-controlled boundaries.
SRG-MPOL-038 Medium The organization must disable, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.
SRG-MPOL-033 Medium The organization must ensure the network access control solution supports wireless clients and solutions if wireless networking is implemented.
SRG-MPOL-032 Medium The organization must enforce requirements for wireless connections to the information system.
SRG-MPOL-030 Medium The organization must notify the Certified TEMPEST Technical Authority (CTTA) before a Secure WLAN (SWLAN) becomes operational and connected to the SIPRNet.
SRG-MPOL-037 Medium The organization must take appropriate action if an unauthorized wireless connection is discovered.
SRG-MPOL-036 Medium The organization must define the appropriate action(s) to be taken if an unauthorized wireless connection is discovered.
SRG-MPOL-035 Medium The organization must define a frequency of monitoring for unauthorized wireless connections to information systems, including scans for unauthorized wireless access points.
SRG-MPOL-034 Medium The organization must monitor for unauthorized wireless connections to the information system on an organization-defined frequency.
SRG-MPOL-007 Medium The organization must not modify Bluetooth radios through signal amplification, antenna configuration, or other techniques that could affect signal detection or interception.
SRG-MPOL-005 Medium The organization must establish usage restrictions for wireless access.
SRG-MPOL-003 Medium The organization must make a risk-based determination on the impacts of a mobile application prior to its distribution and installation.
SRG-MPOL-001 Medium The organization must define the maximum number of consecutive, unsuccessful login attempts to the mobile devices permitted.
SRG-MPOL-008 Medium The organization must use FIPS 140-2 validated cryptographic modules for transmitting unclassified DoD data in transit on Bluetooth (or ZigBee) devices.
SRG-MPOL-084 Medium The organization must ensure all non-enterprise activated CMD users complete Operational Security (OPSEC) training that provides use guidelines and vulnerability mitigation techniques.
SRG-MPOL-085 Medium The organization must secure all wireless network devices, such as wireless Intrusion Detection System (IDS) and wireless routers, access points, gateways, and controllers to prevent tampering or theft, or must be located in a secure room with limited access.
SRG-MPOL-080 Medium The organization must produce a written policy and training material that states smartphones/tablets that are classified as non-enterprise activated must not be used to send, receive, store, or process sensitive/FOUO data and information.
SRG-MPOL-081 Medium The organization must produce a written policy and training material that states smartphones/tablets classified as non-enterprise activated must not access DoD email systems.
SRG-MPOL-011 Medium The organization must establish implementation guidance for wireless access.
SRG-MPOL-019 Medium The organization must only procure and deploy WPA2-Enteprise certified WLAN equipment and software.
SRG-MPOL-093 Medium The organization must ensure physical security controls are implemented for SWLAN access points.
SRG-MPOL-064 Medium The organization must not permit operation of wireless devices in areas where classified information is electronically stored, processed, or transmitted unless operation is in accordance with DAA-approved CTTA restrictions at the site.
SRG-MPOL-066 Medium The organization must prohibit connection of unclassified mobile devices to classified information systems.
SRG-MPOL-060 Medium The organization must define inspection and preventative measures to be applied on mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.
SRG-MPOL-062 Medium The organization must establish a standard operating procedure (SOP) for Classified Message Incidents (CMI) on CMDs.
SRG-MPOL-068 Medium The organization must require approval from the appropriate authorizing official(s) for the connection of unclassified mobile devices to unclassified information systems.
SRG-MPOL-074 Medium The organization must store and maintain a configuration baseline of each CMD, including application software.
SRG-MPOL-071 Medium The organization must require that mobile devices used in facilities containing information systems processing, storing, or transmitting classified information, and the information stored on those devices, are subject to random reviews/inspections by organization defined security officials.
SRG-MPOL-070 Medium The organization must not permit non-enterprise activated CMDs to process or store DoD sensitive information.
SRG-MPOL-078 Medium The organization must assign personnel to perform reviews/inspections of mobile devices in facilities containing information systems processing, storing, or transmitting classified information.
SRG-MPOL-043 Low The organization's CMD Personal Use Policy must be approved by its DAA.
SRG-MPOL-049 Low The organization must develop policy which ensures a CMD is wiped prior to issuance to DoD personnel.
SRG-MPOL-051 Low The organization's DAA must approve the use of software PKI certificates on smartphones prior to provisioning smartphones with DoD PKI digital certificates.
SRG-MPOL-028 Low The organization must include each wireless device connecting to a DoD network in the applicable site's System Security Plan (SSP).
SRG-MPOL-029 Low The organization must have a wireless remote access policy signed by the site DAA, Commander, Director, or other appropriate authority.
SRG-MPOL-026 Low The organization's policy must require the owner of a personally-owned or contractor-owned, commercial mobile device (CMD) to sign a forfeiture agreement to be executed in the event of a security incident, if the DAA has approved the use of the device for DoD functions.
SRG-MPOL-027 Low The organization must maintain a list of all DAA-approved wireless and non-wireless devices that store, process, or transmit DoD information.
SRG-MPOL-031 Low The organization must provide the DAA the results of a CTTA TEMPEST evaluation of each WMAN system it operates.
SRG-MPOL-006 Low The organization must only use Class 2 or 3 radios when employing Bluetooth communications.
SRG-MPOL-004 Low The organization's wireless mobile area network (WMAN) system accreditation must include a Transmission Security (TRANSEC) vulnerability analysis, if the WMAN system operates in a tactical environment.
SRG-MPOL-002 Low If the organization has approved wireless remote access, the organization's System Security Profile (SSP) must include the types of wireless remote access equipment and locations (site network Wi-Fi, home, hotel, public hotspots, etc.) approved for site personnel.
SRG-MPOL-009 Low The organization must ensure relevant U.S. Forces Command (USFORSCOM) or host nation approve the use of wireless equipment prior to operation of such equipment outside the United States and Possessions (US&P).
SRG-MPOL-089 Low The organization must follow required procedures for the disposal of smartphones.
SRG-MPOL-086 Low The organization must not permit personnel to operate CMD without first signing a user agreement IAW DoD CIO Memorandum, "Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement," 9 May 2008.
SRG-MPOL-087 Low The organization must explicitly specify in each site's physical security policy whether CMDs, containing cameras, are permitted at that site.
SRG-MPOL-082 Low The organization must ensure the MDM server administrator receives required training annually.
SRG-MPOL-083 Low The organization must ensure users receive training before they are authorized to access a DoD network via a wireless device.
SRG-MPOL-013 Low The organization's wireless policy or wireless remote access policy must include information on required smartphone Wi-Fi security controls.
SRG-MPOL-014 Low The organization must have a written policy or training materials stating Bluetooth must be disabled on all applicable devices unless they employ FIPS 140-2 validated cryptographic modules for data in transit.
SRG-MPOL-017 Low The organization's WMAN system must not operate in the 3.30-3.65 GHz frequency band.
SRG-MPOL-016 Low The organization must reasonably size and constrain the WMAN signals to their intended coverage area.
SRG-MPOL-018 Low The organization must implement required procedures for reporting the results of WMAN intrusion scans.
SRG-MPOL-091 Low The organization must execute its incident response plan or applicable SOP when a CMD is reported lost or stolen.
SRG-MPOL-090 Low The organization must include procedures for lost or stolen CMDs in its Incident Response Plan or applicable SOP.
SRG-MPOL-077 Low The organization must review MDM integrity scan results at least daily.
SRG-MPOL-076 Low The organization must ensure WIDS sensor scan results are saved for at least one year.
SRG-MPOL-075 Low The organization must maintain results and mitigation actions, from CMD integrity validation tool scans on site managed mobile devices, for 6 months.
SRG-MPOL-073 Low The organization, at the mobile device management (MDM) server site, must verify that local sites, where CMDs are provisioned, issued, and managed, are conducting annual self assessments.
SRG-MPOL-072 Low The organization must periodically conduct manual audits of CMDs to verify the CMD is not running unauthorized software or has otherwise not been modified in an unauthorized manner.
SRG-MPOL-079 Low The organization must verify that each of its CMD users has completed annual CMD user training.