The organization's policy must require the owner of a personally-owned or contractor-owned, commercial mobile device (CMD) to sign a forfeiture agreement to be executed in the event of a security incident, if the DAA has approved the use of the device for DoD functions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-MPOL-026 | SRG-MPOL-026 | SRG-MPOL-026_rule | Low |
| Description |
|---|
| The use of unauthorized personally-owned or contractor-owned wireless devices to receive, store, process, or transmit DoD data has the potential to expose sensitive DoD data to unauthorized individuals. The use of personally-owned/contractor-owned CMDs must be controlled by the site. Users must agree to forfeit the CMD in the event of a security incident, follow all required security procedures, and install required software, in order to protect the DoD network and data. |
| STIG | Date |
|---|---|
| Mobile Policy Security Requirements Guide | 2012-10-10 |
Details
| Check Text ( C-SRG-MPOL-026_chk ) |
|---|
| When personally-owned CMDs are used to transmit, receive, store, or process DoD information, the owner must sign a forfeiture agreement to be executed in the event of a security incident. Obtain a copy of the signed forfeiture agreement for a sample of users (2-3) that have been approved to use personally-owned devices. If signed forfeiture agreements are not available, this is a finding. |
| Fix Text (F-SRG-MPOL-026_fix) |
|---|
| If the DAA has approved the use of personally/contractor-owned CMDs, require the owner to sign a forfeiture agreement to be executed in the event of a security incident. |