The organization's DAA must approve the use of personally-owned or contractor-owned commercial mobile devices (CMDs) used to transmit, receive, store, or process DoD information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-MPOL-025	SRG-MPOL-025	SRG-MPOL-025_rule		Medium

Description
The use of unapproved personally-owned or contractor-owned wireless devices to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized individuals. The use of CMDs must be controlled by the site. Users must agree to forfeit the CMD when security incidents occur, follow all required security procedures, and install required software in order to protect the DoD network.

Description

The use of unapproved personally-owned or contractor-owned wireless devices to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized individuals. The use of CMDs must be controlled by the site. Users must agree to forfeit the CMD when security incidents occur, follow all required security procedures, and install required software in order to protect the DoD network.

STIG	Date
Mobile Policy Security Requirements Guide	2012-10-10

Details

Check Text ( C-SRG-MPOL-025_chk )
Personally-owned or contractor-owned devices will not be used to access DoD restricted resources and information without DAA approval. Users should be trained on this requirement, configuration management procedures should be followed, and the devices must meet DoD security policies and standards. Review the site policy on the use of CMDs to determine if users are granted the right to use personally-owned or contractor-owned devices such as CMDs, laptops, tablets, or home computers to access sensitive enclave resources. If personally-owned/contractor-owned devices are allowed, verify written DAA approval exists and the accreditation documentation is annotated that personally-owned/contractor-owned devices are allowed. If personally-owned devices are used but the DAA has not approved their usage, this is a finding. This check includes any non-DoD-owned or approved devices, such as computers, CMDs, and wireless NICs. This applies to remote access administrative and end-user access. Use for end-user access is discouraged but may be approved by the DAA.

Check Text ( C-SRG-MPOL-025_chk )

Personally-owned or contractor-owned devices will not be used to access DoD restricted resources and information without DAA approval. Users should be trained on this requirement, configuration management procedures should be followed, and the devices must meet DoD security policies and standards.

Review the site policy on the use of CMDs to determine if users are granted the right to use personally-owned or contractor-owned devices such as CMDs, laptops, tablets, or home computers to access sensitive enclave resources.

If personally-owned/contractor-owned devices are allowed, verify written DAA approval exists and the accreditation documentation is annotated that personally-owned/contractor-owned devices are allowed.

If personally-owned devices are used but the DAA has not approved their usage, this is a finding.

This check includes any non-DoD-owned or approved devices, such as computers, CMDs, and wireless NICs. This applies to remote access administrative and end-user access. Use for end-user access is discouraged but may be approved by the DAA.

Fix Text (F-SRG-MPOL-025_fix)
Personally-owned or contractor-owned devices will not be used to access DoD restricted resources and information without DAA approval. Train users on this requirement, configuration management procedures must be followed, and the devices must meet DoD security policies and standards.