The organization must have a CMD Personal Use Policy that specifies restrictions on the use of personal email.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-MPOL-042 | SRG-MPOL-042 | SRG-MPOL-042_rule | Medium |
| Description |
|---|
| Malware can be introduced to a DoD enclave via personally owned applications and personal web site accounts. In addition, sensitive DoD data could be exposed, altered, or exfiltrated by the same malware. The local site and/or Command must publish a Personal Use Policy for site/Command-managed or owned mobile devices (smartphones and tablets). The policy will provide information on allowed personal use of site/Command mobile devices, including devices approved for connection to DoD networks and processing of sensitive data; and for devices not approved for connection to DoD networks and processing of DoD data (for example, non-enterprise activated devices). The policy will be approved by the DAA based on a risk-based assessment. The assessment will consider costs to the Command that could result from additional wireless service charges from personal usage of the device. |
| STIG | Date |
|---|---|
| Mobile Policy Security Requirements Guide | 2012-10-10 |
Details
| Check Text ( C-SRG-MPOL-042_chk ) |
|---|
| Review the organization's policy to determine if it provides information on allowed personal use of site/Command mobile devices in respect to viewing and/or downloading personal email. The policy will be approved by the DAA based on a risk based assessment. If the organization does not have a policy on allowed personal use covering viewing and/or downloading personal email, this is a finding. |
| Fix Text (F-SRG-MPOL-042_fix) |
|---|
| Develop a Mobile Device Personal Use Policy which details the requirements for the operating system device to view and/or download personal email. |