The organization must disable, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-MPOL-038	SRG-MPOL-038	SRG-MPOL-038_rule		Medium

Description
The majority of consumer based laptops have wireless network interface cards (NICs) integrated with the computer's motherboard. Although the system administrator may disable these embedded NICs, the user may purposely or accidentally enable the device. These devices may also inadvertently transmit ambient sound or electronic signals. Therefore, simply disabling the transmit capability is not an adequate solution for computers processing classified information. In addition, embedded wireless cards do not meet DoD security requirements for classified wireless usage.

Description

The majority of consumer based laptops have wireless network interface cards (NICs) integrated with the computer's motherboard. Although the system administrator may disable these embedded NICs, the user may purposely or accidentally enable the device. These devices may also inadvertently transmit ambient sound or electronic signals. Therefore, simply disabling the transmit capability is not an adequate solution for computers processing classified information. In addition, embedded wireless cards do not meet DoD security requirements for classified wireless usage.

STIG	Date
Mobile Policy Security Requirements Guide	2012-10-10

Details

Check Text ( C-SRG-MPOL-038_chk )
Review the organization's access control and security policy, procedures addressing wireless implementation and usage (including restrictions), information system design documentation, information system configuration settings and associated documentation, and any other relevant documents or records. Ensure: (i) the organization's security policy requires the disabling of non-production wireless networking capabilities prior to issuance/deployment, and (ii) the information systems design documentation and configuration settings confirm that internally imbedded wireless networking capabilities not intended for the production environment are disabled prior to issuance/deployment. If the organization's policies do not include disablement of non-production wireless capabilities, this is a finding.

Check Text ( C-SRG-MPOL-038_chk )

Review the organization's access control and security policy, procedures addressing wireless implementation and usage (including restrictions), information system design documentation, information system configuration settings and associated documentation, and any other relevant documents or records. Ensure: (i) the organization's security policy requires the disabling of non-production wireless networking capabilities prior to issuance/deployment, and (ii) the information systems design documentation and configuration settings confirm that internally imbedded wireless networking capabilities not intended for the production environment are disabled prior to issuance/deployment. If the organization's policies do not include disablement of non-production wireless capabilities, this is a finding.

Fix Text (F-SRG-MPOL-038_fix)
Ensure the organization's security policy requires the disabling of non-production wireless networking capabilities prior to issuance/deployment.