UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The organization must have a wireless remote access policy signed by the site DAA, Commander, Director, or other appropriate authority.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-MPOL-029 SRG-MPOL-029 SRG-MPOL-029_rule Low
Description
Wireless clients, DoD data, and the DoD network could be compromised if operational policies for the use of wireless remote access are not documented by the site. A site's Remote Access Policy will be written and signed by the site DAA, Commander, Director, or other appropriate manager(s). The policy should include required security controls for the DoD-owned/operated wireless client (laptop or CMD): - Device unlock password requirements. - Anti-virus application. - Personal firewall. - Client software patches kept up to date - Internet browsing through enterprise Internet gateway. - Device security policy managed by centrally-managed policy manager. - Anti-spyware app (recommended). - Procedures after client is lost, stolen, or other security incident occurs. - Host-based Wireless Intrusion Detection and Prevention System (WIDPS)/monitor WIDPS. - Configuration requirements of wireless client - Home WLAN authentication requirements. - Home WLAN SSID requirements. - Separate WLAN access point required for home WLAN. - 8+-character authentication password required for home WLAN. - Use of third-party Internet portals (kiosks) (approved or not approved). - Use of personally-owned or contractor-owned client devices (approved or not approved). - Implementation of health check of client device before connection is allowed. - Places where remote access is approved (home, hotels, airport, etc.). - Roles and responsibilities: --Which users or groups of users are and are not authorized to use organization's WLANs. --Which parties are authorized and responsible for installing and configuring APs and other WLAN equipment. - WLAN infrastructure security: --Physical security requirements for WLANs and WLAN devices, including limitations on the service areas of WLANs. --Types of information that may and may not be sent over WLANs, including acceptable use guidelines. - WLAN client device security: --The conditions under which WLAN client devices are and are not allowed to be used and operated. --Standard hardware and software configurations that must be implemented on WLAN client devices to ensure the appropriate level of security. --Limitations on how and when WLAN client's device may be used, such as specific locations. - Guidelines on reporting losses of WLAN client devices and reporting WLAN security incidents. - Guidelines for the protection of WLAN client devices to reduce theft.
STIG Date
Mobile Policy Security Requirements Guide 2012-10-10

Details

Check Text ( C-SRG-MPOL-029_chk )
Interview the site wireless device administrator and determine if the site has a wireless remote access policy (or a wireless section in a general remote access policy). Verify the policy has been signed by the site DAA, Commander, Director, or other appropriate manager(s). If a wireless remote access policy does not exist or is not signed, this is a finding.
Fix Text (F-SRG-MPOL-029_fix)
Ensure a Wireless Remote Access Policy has been developed and signed by the site DAA, Commander, Director, or other appropriate authority.