The organization must ensure all wireless systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) are approved by the approval authority prior to installation and use for processing DoD information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-MPOL-012	SRG-MPOL-012	SRG-MPOL-012_rule		High

Description
Unauthorized wireless systems expose DoD networks to attack. The DAA and appropriate commanders must be aware of all wireless systems used at the site. DAAs should ensure a risk assessment is conducted for each system, including associated services and peripherals, before approving. The DAA should accept risks only when required to meet mission requirements. The intent of this requirement is to ensure the DAA has approved the use of the wireless system. This approval can be documented in several ways. The most common is the SSP for the site includes the wireless system and the DAA has signed the SSP. If the command uses an enterprise wide SSP including the wireless system being reviewed, and the SSP applies to the site being reviewed, then the requirement has been met.

Description

Unauthorized wireless systems expose DoD networks to attack. The DAA and appropriate commanders must be aware of all wireless systems used at the site. DAAs should ensure a risk assessment is conducted for each system, including associated services and peripherals, before approving. The DAA should accept risks only when required to meet mission requirements. The intent of this requirement is to ensure the DAA has approved the use of the wireless system. This approval can be documented in several ways. The most common is the SSP for the site includes the wireless system and the DAA has signed the SSP. If the command uses an enterprise wide SSP including the wireless system being reviewed, and the SSP applies to the site being reviewed, then the requirement has been met.

STIG	Date
Mobile Policy Security Requirements Guide	2012-10-10

Details

Check Text ( C-SRG-MPOL-012_chk )
Review the organization's wireless system documentation to verify DAA approval either by: a.) The accreditation documentation, which must show the wireless system as part of the network diagram or list the system/equipment as being part of the network, or b.) DAA approval letter or other document, which must list the system or equipment and date its use is approved. The DAA approval letter or SSP may be a general statement of approval rather than list each device; however, it does not need to be documented separately from other DAA approval documents for the site network, as long as the approval documents list the wireless system. Verify DAA approval for the type of device used, such as wireless connection services, peripherals, and applications. If wireless systems (including associated peripheral devices, operating system, applications, network/PC connection methods and services) exist and are not approved by the approval authority prior to installation and use for processing DoD information, this is a finding.

Check Text ( C-SRG-MPOL-012_chk )

Review the organization's wireless system documentation to verify DAA approval either by:

a.) The accreditation documentation, which must show the wireless system as part of the network diagram or list the system/equipment as being part of the network, or b.) DAA approval letter or other document, which must list the system or equipment and date its use is approved.

The DAA approval letter or SSP may be a general statement of approval rather than list each device; however, it does not need to be documented separately from other DAA approval documents for the site network, as long as the approval documents list the wireless system.

Verify DAA approval for the type of device used, such as wireless connection services, peripherals, and applications.

If wireless systems (including associated peripheral devices, operating system, applications, network/PC connection methods and services) exist and are not approved by the approval authority prior to installation and use for processing DoD information, this is a finding.

Fix Text (F-SRG-MPOL-012_fix)
Obtain DAA approval, documented by memo or SSP, prior to wireless systems being installed and utilized.