| SRG-MPOL-044 | High | The organization must not use DoD-issued software certificates for Non-enterprise activated CMDs. | If DoD issued certificates are utilized, the device may be able to connect to sites/systems that are otherwise prohibited without the certificate. Non-enterprise activated CMDs are not authorized... |
| SRG-MPOL-088 | High | The organization's physical security policy must state that CMD cameras must not be allowed in any SCIF or other areas where classified documents or information is stored, transmitted, or processed. | CMDs with embedded cameras can be used to photograph classified material and can be easily concealed. Classified information could be compromised. Photos may also be taken of the areas that would... |
| SRG-MPOL-010 | High | The organization must remove the radio on computers with an embedded wireless system before the computer is used to transfer, receive, store, or process classified information. | The majority of consumer based laptops have wireless network interface cards (NICs) integrated with the computer's motherboard. Although the system administrator may disable these embedded NICs,... |
| SRG-MPOL-012 | High | The organization must ensure all wireless systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) are approved by the approval authority prior to installation and use for processing DoD information. | Unauthorized wireless systems expose DoD networks to attack. The DAA and appropriate commanders must be aware of all wireless systems used at the site. DAAs should ensure a risk assessment is... |
| SRG-MPOL-015 | High | The organization must maintain a SIPRNet connection approval package with the Classified Connection Approval Office when connecting a Secure WLAN to SIPRNet. | The CCAO approval process provides assurance that the SWLAN use is appropriate and does not introduce unmitigated risks into the SIPRNet. |
| SRG-MPOL-092 | High | The organization must develop procedures for ensuring mobile operating systems, mobile applications, and mobile device management agents on managed mobile devices are updated within an organization-defined period after the updates/patches are available. | Patches and fixes to an operating system (OS) or application are necessary elements in maintaining the security posture of a system. If one system has been compromised or exposed to a potential... |
| SRG-MPOL-065 | High | The organization must not use mobile operating system (OS) based smartphone and tablet devices and systems to send, receive, store, or process classified messages unless specifically approved by NSA for such purposes and NSA-approved transmission and storage methods are used. | Wireless devices will not be used for processing classified data unless approved for such use as classified data could be compromised or exposed to unauthorized personnel. |
| SRG-MPOL-067 | High | The organization must not use wireless personal area network devices and near field communications (NFC), such as Bluetooth and ZigBee, to send, receive, store, or process classified information. | Classified data could be compromised since wireless personal area network and near field communications devices, such as Bluetooth and ZigBee, do not meet DoD encryption requirements for classified data. |
| SRG-MPOL-061 | High | The organization must follow the incident handling policy if classified information is found on mobile devices. | In spite of the best security policies, restrictive controls, and random review procedures, incidents of leakage of classified data to unclassified mobile devices are bound to occur. In these... |
| SRG-MPOL-063 | High | The organization must not permit CMDs Sensitive Compartmented Information Facilities (SCIFs), unless approved by the DAA and SCIF Cognizant Security Authority (CSA) in accordance with Intelligence Community Directive 503 and Intelligence Community Standard (ICS) 705.1. | Emanations from computing devices in the secured area may be transmitted or picked up inadvertently by wireless devices. |
| SRG-MPOL-069 | High | The organization must not permit non-enterprise activated CMD to connect to DoD networks. | Some smartphones and tablets, including some models of Windows, Android, iOS, and BlackBerry smartphones and tablets, are not authorized to connect to DoD networks or to DoD computers that will be... |
| SRG-MPOL-042 | Medium | The organization must have a CMD Personal Use Policy that specifies restrictions on the use of personal email. | Malware can be introduced to a DoD enclave via personally owned applications and personal web site accounts. In addition, sensitive DoD data could be exposed, altered, or exfiltrated by the same... |
| SRG-MPOL-040 | Medium | The organization must establish usage restrictions for organization-controlled portable and mobile devices. | In order to effectively control access to its information systems, the organization must define usage restrictions for its portable and mobile devices. In the absence of such restrictions, users... |
| SRG-MPOL-041 | Medium | The organization must have a CMD Personal Use Policy that specifies what types of personal files are permitted on the device. | Malware can be introduced to a DoD enclave via personally-owned applications and personal web site accounts. In addition, sensitive DoD data could be exposed, altered, or exfiltrated by the same... |
| SRG-MPOL-046 | Medium | The organization must not process or store official DoD email on Non-enterprise activated CMDs. | As non-enterprise activated CMDs do not have the required and necessary security controls applied to the devices, in all cases, DoD data and the applications that house such data (e.g., email) are... |
| SRG-MPOL-047 | Medium | The organization must establish implementation guidance for organization-controlled portable and mobile devices. | In order to effectively manage and control its portable and mobile devices, the organization must develop and publish implementation guidance for these devices. Lacking implementation guidance,... |
| SRG-MPOL-045 | Medium | The organization must not use DoD networks to transfer information with non-enterprise activated CMDs. | As non-enterprise activated CMDs do not have the required and necessary security controls applied to the devices, in all cases, DoD data and the applications that house such data (e.g., email) are... |
| SRG-MPOL-048 | Medium | The organization must establish standard operating procedures for provisioning mobile devices. | A trusted provisioning process must be the foundation for installation of the mobile operating system and applications on the device during provisioning (whether tethered or over-the-air).... |
| SRG-MPOL-059 | Medium | The organization must apply organization defined inspection and preventative measures to mobile devices returning from locations the organization deems to be of significant risk to DoD information systems. | Despite the implementation of viable countermeasures on mobile devices, upon return from a high risk location, each device should be treated as if it has been compromised. The mobile device should... |
| SRG-MPOL-058 | Medium | The organization must define locations the organization deems to be of significant risk to DoD information systems, in accordance with organizational policies and procedures. | Given the continuous threat level in today's global environment, there are certain locations presenting significant risks to an organization's personnel, equipment, and data. To afford an... |
| SRG-MPOL-055 | Medium | The organization must make a risk-based determination, prior to installation of CMD applications on non-enterprise activated CMDs. | CMD applications can be written and published very quickly without a thorough life cycle management process or security assessment. It is critical that all applications that reside on CMDs go... |
| SRG-MPOL-054 | Medium | The organization must perform a security risk analysis on a mobile operating system (OS) application by the DAA or DAA-authorized approval authority prior to the application being approved for use. | Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected... |
| SRG-MPOL-057 | Medium | The organization must not permit NEA CMD to connect to DoD devices containing sensitive information. | As non-enterprise activated CMDs do not have the required and necessary security controls applied to the devices, in all cases, DoD data is at risk of compromise or exfiltration if those devices... |
| SRG-MPOL-056 | Medium | The organization must authorize connection of mobile devices to organizational information systems. | In order to protect their information systems, organizations must have a process in place ensuring mobile devices adhere to implementation guidance, meet published usage restrictions, and are... |
| SRG-MPOL-050 | Medium | The organization must develop policy that ensures CMDs' software updates originate from only approved DoD sources. | Users must not accept over-the-air (OTA) wireless software updates from the wireless carrier or other non-DoD sources unless the updates have been tested and DoD approved. Unauthorized/unapproved... |
| SRG-MPOL-053 | Medium | The organization must obtain approval from the DAA or Command IT Configuration Control Board prior to installing a software application on a mobile device. | Core applications are applications included in the smartphone operating system. Applications added by the wireless carrier are not considered core applications. A security risk analysis must be... |
| SRG-MPOL-052 | Medium | The organization must develop policy to restrict smartphone Instant Messaging (IM) client applications to connect to only security-compliant, DoD-controlled IM servers. | Non-DoD IM servers can be located anywhere in the world and may be under an adversary's control. If a DoD smartphone IM client connects to a non-DoD IM server, malware could be installed on the... |
| SRG-MPOL-020 | Medium | The organization's wireless LAN must use Extension Authentication Protocol - Transport Layer Security (EAP-TLS). | Strong authentication is required prior to connecting to the wireless system. A hacker could gain access to the wireless network and then the wired network if required authentication is not... |
| SRG-MPOL-021 | Medium | The organization's WLAN implementation of EAP-TLS must be FIPS 140-2 validated. | Strong authentication is required prior to connecting to the wireless system. A hacker could gain access to the wireless network and then the wired network if required authentication is not... |
| SRG-MPOL-022 | Medium | The organization must monitor for unauthorized wireless access DoD networks. | DoD networks are at risk for intrusion and DoD data may be compromised if wireless scanning is not conducted to identify unauthorized WLAN clients and access points connected to, or attempting to,... |
| SRG-MPOL-023 | Medium | The organization must conduct continuous wireless IDS scanning at each of its sites. | DoD networks are at risk for intrusion and DoD data may be compromised if wireless scanning is not conducted to identify unauthorized WLAN clients and access points connected to, or attempting to,... |
| SRG-MPOL-024 | Medium | The organization must authorize wireless access to the information system prior to connection. | Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks present similar security risks to those of a wired... |
| SRG-MPOL-025 | Medium | The organization's DAA must approve the use of personally-owned or contractor-owned commercial mobile devices (CMDs) used to transmit, receive, store, or process DoD information. | The use of unapproved personally-owned or contractor-owned wireless devices to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized individuals. The use of... |
| SRG-MPOL-039 | Medium | The organization must confine wireless communications to organization-controlled boundaries. | Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks present similar security risks to those of a wired... |
| SRG-MPOL-038 | Medium | The organization must disable, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment. | The majority of consumer based laptops have wireless network interface cards (NICs) integrated with the computer's motherboard. Although the system administrator may disable these embedded NICs,... |
| SRG-MPOL-033 | Medium | The organization must ensure the network access control solution supports wireless clients and solutions if wireless networking is implemented. | Without a secure network access solution implemented, rogue and/or non-policy compliant devices can gain access to the network and its resources. |
| SRG-MPOL-032 | Medium | The organization must enforce requirements for wireless connections to the information system. | Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks present similar security risks to those of a wired... |
| SRG-MPOL-030 | Medium | The organization must notify the Certified TEMPEST Technical Authority (CTTA) before a Secure WLAN (SWLAN) becomes operational and connected to the SIPRNet. | A TEMPEST review must be completed or classified information may be at risk of exposure. |
| SRG-MPOL-037 | Medium | The organization must take appropriate action if an unauthorized wireless connection is discovered. | Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks present similar security risks to those of a wired... |
| SRG-MPOL-036 | Medium | The organization must define the appropriate action(s) to be taken if an unauthorized wireless connection is discovered. | Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks present similar security risks to those of a wired... |
| SRG-MPOL-035 | Medium | The organization must define a frequency of monitoring for unauthorized wireless connections to information systems, including scans for unauthorized wireless access points. | Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks present similar security risks to those of a wired... |
| SRG-MPOL-034 | Medium | The organization must monitor for unauthorized wireless connections to the information system on an organization-defined frequency. | DoD networks are at risk, and DoD data could be compromised if wireless scanning is not conducted to identify unauthorized WLAN clients and access points connected to, or attempting to, connect to... |
| SRG-MPOL-007 | Medium | The organization must not modify Bluetooth radios through signal amplification, antenna configuration, or other techniques that could affect signal detection or interception. | If Bluetooth radio modifications have been made, security personnel cannot predict potential vulnerabilities of the system due to lack of security analysis of the modified state. |
| SRG-MPOL-005 | Medium | The organization must establish usage restrictions for wireless access. | Wireless security is inherently weak, and without a methodology for the deployment and usage of wireless devices and access, security of the infrastructure and data cannot be assured. Wireless... |
| SRG-MPOL-003 | Medium | The organization must make a risk-based determination on the impacts of a mobile application prior to its distribution and installation. | CMD applications can be written and published very quickly without a thorough life cycle management process or security assessment. It is critical that all applications that reside on CMDs go... |
| SRG-MPOL-001 | Medium | The organization must define the maximum number of consecutive, unsuccessful login attempts to the mobile devices permitted. | Without proper lockout policies that define the maximum number of consecutive unsuccessful login attempts, unauthorized users could continually attempt to gain access to the mobile device. ... |
| SRG-MPOL-008 | Medium | The organization must use FIPS 140-2 validated cryptographic modules for transmitting unclassified DoD data in transit on Bluetooth (or ZigBee) devices. | FIPS validation provides assurance that the cryptographic modules are implemented correctly and resistant to compromise. Failure to use FIPS 140-2 validated cryptographic modules makes it more... |
| SRG-MPOL-084 | Medium | The organization must ensure all non-enterprise activated CMD users complete Operational Security (OPSEC) training that provides use guidelines and vulnerability mitigation techniques. | Improper use of CMD devices can compromise both the CMD and the network, as well as, expose DoD data to unauthorized individuals. Without adequate OPSEC training, users are more likely to engage... |
| SRG-MPOL-085 | Medium | The organization must secure all wireless network devices, such as wireless Intrusion Detection System (IDS) and wireless routers, access points, gateways, and controllers to prevent tampering or theft, or must be located in a secure room with limited access.
| DoD data and the network could be exposed to attack if wireless network devices are not physically protected. The Network Security Officer (NSO) will ensure all wireless network devices (e.g.,... |
| SRG-MPOL-080 | Medium | The organization must produce a written policy and training material that states smartphones/tablets that are classified as non-enterprise activated must not be used to send, receive, store, or process sensitive/FOUO data and information. | Some mobile devices, including some models of Windows, Android, iOS, and BlackBerry smartphones and tablets, are not authorized to store or process sensitive DoD data and information because they... |
| SRG-MPOL-081 | Medium | The organization must produce a written policy and training material that states smartphones/tablets classified as non-enterprise activated must not access DoD email systems. | Some mobile devices, including some models of Windows, Android, iOS, and BlackBerry smartphones and tablets, are not authorized to connect to DoD email systems because they do not have required... |
| SRG-MPOL-011 | Medium | The organization must establish implementation guidance for wireless access. | Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks present similar security risks to those of a wired... |
| SRG-MPOL-019 | Medium | The organization must only procure and deploy WPA2-Enteprise certified WLAN equipment and software. | The Wi-Fi Alliance WPA2-Enterprise certification means the WLAN equipment can support DoD security protocol and encryption requirements, most notably EAP-TLS and AES-CCMP. If the equipment has... |
| SRG-MPOL-093 | Medium | The organization must ensure physical security controls are implemented for SWLAN access points.
| If an adversary is able to gain physical access to a SWLAN device, he/she may be able to compromise the device in a variety of ways, some of which could enable the adversary to obtain classified... |
| SRG-MPOL-064 | Medium | The organization must not permit operation of wireless devices in areas where classified information is electronically stored, processed, or transmitted unless operation is in accordance with DAA-approved CTTA restrictions at the site. | The operation of electronic equipment and emanations must be controlled in and around areas where sensitive information is kept or processed. Ensure wireless devices are not operated in areas... |
| SRG-MPOL-066 | Medium | The organization must prohibit connection of unclassified mobile devices to classified information systems. | Mobile/portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, and digital cameras,... |
| SRG-MPOL-060 | Medium | The organization must define inspection and preventative measures to be applied on mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. | Despite the implementation of viable countermeasures on mobile devices, upon return from a high risk location, each device should be treated as if it has been compromised. The mobile device should... |
| SRG-MPOL-062 | Medium | The organization must establish a standard operating procedure (SOP) for Classified Message Incidents (CMI) on CMDs. | When a data spill occurs on a CMD, classified or sensitive data must be protected to prevent disclosure. After a data spill, the CMD must either be wiped using approved procedures, or destroyed if... |
| SRG-MPOL-068 | Medium | The organization must require approval from the appropriate authorizing official(s) for the connection of unclassified mobile devices to unclassified information systems. | Mobile/portable computing and communications devices (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, etc.) require specific approval for use,... |
| SRG-MPOL-074 | Medium | The organization must store and maintain a configuration baseline of each CMD, including application software. | An integrity baseline scan must be maintained so the baseline can be compared to any subsequent scan to identify any anomalies or determine if there are any security vulnerability trends or... |
| SRG-MPOL-071 | Medium | The organization must require that mobile devices used in facilities containing information systems processing, storing, or transmitting classified information, and the information stored on those devices, are subject to random reviews/inspections by organization defined security officials. | The organization's access control procedures and security policies establish the requirement to control the use of various mobile devices and connected or imbedded capabilities. These policies and... |
| SRG-MPOL-070 | Medium | The organization must not permit non-enterprise activated CMDs to process or store DoD sensitive information. | Non-enterprise activated CMDs are not authorized to process any information other than non-sensitive because they do not have required security controls to avoid tampering and malicious intent.... |
| SRG-MPOL-078 | Medium | The organization must assign personnel to perform reviews/inspections of mobile devices in facilities containing information systems processing, storing, or transmitting classified information. | The organization's access control procedures and security policies establish the requirement to (i) control the use of various mobile devices and connected or imbedded capabilities, and (ii)... |
| SRG-MPOL-043 | Low | The organization's CMD Personal Use Policy must be approved by its DAA. | Malware can be introduced on a DoD enclave via personally-owned applications and personal web site accounts. In addition, sensitive DoD data could be exposed by the same malware.
The local site... |
| SRG-MPOL-049 | Low | The organization must develop policy which ensures a CMD is wiped prior to issuance to DoD personnel. | Malware may be installed on a device at some point between shipping from the factory and delivery to DoD. The malware could result in the compromise of sensitive DoD information or result in the... |
| SRG-MPOL-051 | Low | The organization's DAA must approve the use of software PKI certificates on smartphones prior to provisioning smartphones with DoD PKI digital certificates. | S/MIME provides the user with the ability to digitally sign and encrypt email messages, to verify the digital signatures on received messages, and to decrypt messages received from others if those... |
| SRG-MPOL-028 | Low | The organization must include each wireless device connecting to a DoD network in the applicable site's System Security Plan (SSP). | The DAA and site commander must be aware of all approved wireless devices used at the site or DoD data may be exposed to unauthorized individuals. Documentation of the enclave configuration must... |
| SRG-MPOL-029 | Low | The organization must have a wireless remote access policy signed by the site DAA, Commander, Director, or other appropriate authority. | Wireless clients, DoD data, and the DoD network could be compromised if operational policies for the use of wireless remote access are not documented by the site.
A site's Remote Access Policy... |
| SRG-MPOL-026 | Low | The organization's policy must require the owner of a personally-owned or contractor-owned, commercial mobile device (CMD) to sign a forfeiture agreement to be executed in the event of a security incident, if the DAA has approved the use of the device for DoD functions. | The use of unauthorized personally-owned or contractor-owned wireless devices to receive, store, process, or transmit DoD data has the potential to expose sensitive DoD data to unauthorized... |
| SRG-MPOL-027 | Low | The organization must maintain a list of all DAA-approved wireless and non-wireless devices that store, process, or transmit DoD information. | Close tracking of authorized wireless devices will facilitate the search for rogue devices. Sites must maintain precise inventory control over wireless and handheld devices used to store, process,... |
| SRG-MPOL-031 | Low | The organization must provide the DAA the results of a CTTA TEMPEST evaluation of each WMAN system it operates. | Sensitive and/or classified information could be compromised via a TEMPEST vulnerability. |
| SRG-MPOL-006 | Low | The organization must only use Class 2 or 3 radios when employing Bluetooth communications.
| A key security control for DoD Bluetooth devices is to limit the broadcast area of the Bluetooth signal to the personal area of the user (approximately 30 feet or less). Class 1 radios broadcast... |
| SRG-MPOL-004 | Low | The organization's wireless mobile area network (WMAN) system accreditation must include a Transmission Security (TRANSEC) vulnerability analysis, if the WMAN system operates in a tactical environment. | If a TRANSEC vulnerability analysis has not been completed, the system may not be designed or configured correctly to mitigate exposure of DoD data, or may be vulnerable to a wireless attack. The... |
| SRG-MPOL-002 | Low | If the organization has approved wireless remote access, the organization's System Security Profile (SSP) must include the types of wireless remote access equipment and locations (site network Wi-Fi, home, hotel, public hotspots, etc.) approved for site personnel. | Wireless clients, networks, and data may be compromised if unapproved wireless remote access is utilized. In most cases, unapproved devices are not managed and configured as required by the... |
| SRG-MPOL-009 | Low | The organization must ensure relevant U.S. Forces Command (USFORSCOM) or host nation approve the use of wireless equipment prior to operation of such equipment outside the United States and Possessions (US&P). | When using a wireless system outside of the US&P, host nation wireless spectrum regulations must be followed. Otherwise, the system could interfere with, or be disrupted by, host nation... |
| SRG-MPOL-089 | Low | The organization must follow required procedures for the disposal of smartphones. | If appropriate procedures are not followed prior to disposal of a smartphone, an adversary may be able to obtain sensitive DoD information or learn aspects of the configuration of the device that... |
| SRG-MPOL-086 | Low | The organization must not permit personnel to operate CMD without first signing a user agreement IAW DoD CIO Memorandum, "Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement," 9 May 2008. | Lack of user training and understanding of responsibilities to safeguard wireless technology is a significant vulnerability to the enclave. Once policies are established, users must be trained to... |
| SRG-MPOL-087 | Low | The organization must explicitly specify in each site's physical security policy whether CMDs, containing cameras, are permitted at that site. | CMDs with cameras are easily used to photograph sensitive information and areas if not addressed. Sites must establish, document, and train on how to mitigate this threat. |
| SRG-MPOL-082 | Low | The organization must ensure the MDM server administrator receives required training annually. | The security posture of the smartphone management server could be compromised if the administrator is not trained to follow required procedures.
|
| SRG-MPOL-083 | Low | The organization must ensure users receive training before they are authorized to access a DoD network via a wireless device. | Improper use of wireless remote access to a DoD network can compromise both the wireless client and the network, as well as, expose DoD data to unauthorized individuals. Without adequate training,... |
| SRG-MPOL-013 | Low | The organization's wireless policy or wireless remote access policy must include information on required smartphone Wi-Fi security controls. | If the policy does not include information on Wi-Fi security controls, it is more likely that the security controls will not be implemented properly. Without appropriate controls, Wi-Fi is... |
| SRG-MPOL-014 | Low | The organization must have a written policy or training materials stating Bluetooth must be disabled on all applicable devices unless they employ FIPS 140-2 validated cryptographic modules for data in transit. | Policy and training provide assurance that security requirements will be implemented in practice. Failure to use FIPS 140-2 validated cryptography makes data more vulnerable to security breaches... |
| SRG-MPOL-017 | Low | The organization's WMAN system must not operate in the 3.30-3.65 GHz frequency band. | 3.30-3.65 GHz frequency band WMAN interferes with DoD radar systems. |
| SRG-MPOL-016 | Low | The organization must reasonably size and constrain the WMAN signals to their intended coverage area. | Wireless signals can be intercepted more easily by a hacker than a wired signal due to the nature of the technology. DoD data may be at risk of exposure if the signals are not constrained to an... |
| SRG-MPOL-018 | Low | The organization must implement required procedures for reporting the results of WMAN intrusion scans.
| If scan results are not properly reported and acted on, the site could be vulnerable to wireless attack.
|
| SRG-MPOL-091 | Low | The organization must execute its incident response plan or applicable SOP when a CMD is reported lost or stolen. | If procedures for lost or stolen CMDs are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD information... |
| SRG-MPOL-090 | Low | The organization must include procedures for lost or stolen CMDs in its Incident Response Plan or applicable SOP. | Sensitive DoD data could be stored in memory on a DoD operated smartphone and the data could be compromised if required actions are not followed when a CMD is lost or stolen. Without procedures... |
| SRG-MPOL-077 | Low | The organization must review MDM integrity scan results at least daily. | If the organization does not review the integrity tool scans, an attacker may not be noticed by the administrator, and gain control of DoD data or compromise the system. |
| SRG-MPOL-076 | Low | The organization must ensure WIDS sensor scan results are saved for at least one year. | If organizations do not maintain scan logs, it cannot be determined if intrusion detection findings are isolated and harmless events, or a more sustained, methodical attack on the system. |
| SRG-MPOL-075 | Low | The organization must maintain results and mitigation actions, from CMD integrity validation tool scans on site managed mobile devices, for 6 months. | Scan results must be maintained so auditors can verify mitigation actions have been completed, so a scan can be compared to a previous scan, and to determine if there are any security vulnerability trends. |
| SRG-MPOL-073 | Low | The organization, at the mobile device management (MDM) server site, must verify that local sites, where CMDs are provisioned, issued, and managed, are conducting annual self assessments. | The security integrity of the CMD system depends on whether local sites, where CMDs are provisioned and issued, are complying with IA requirements. The risk of both malware being introduced on a... |
| SRG-MPOL-072 | Low | The organization must periodically conduct manual audits of CMDs to verify the CMD is not running unauthorized software or has otherwise not been modified in an unauthorized manner. | The organization's access control procedures and security policies establish the requirement to control the use of various mobile devices and connected or imbedded capabilities. These policies and... |
| SRG-MPOL-079 | Low | The organization must verify that each of its CMD users has completed annual CMD user training. | Users are the first line of security controls for smartphone/tablet systems. They must be trained in using smartphone security controls or the system could be vulnerable to attack. All smartphone... |
