The organization must not permit NEA CMD to connect to DoD devices containing sensitive information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-MPOL-057	SRG-MPOL-057	SRG-MPOL-057_rule		Medium

Description
As non-enterprise activated CMDs do not have the required and necessary security controls applied to the devices, in all cases, DoD data is at risk of compromise or exfiltration if those devices connect to DoD workstations or other devices containing sensitive information.

STIG	Date
Mobile Policy Security Requirements Guide	2012-10-10

Details

Check Text ( C-SRG-MPOL-057_chk )
Review the organization's access control and security policy to determine if requirements for connection to DoD workstations or other systems containing sensitive DoD information are defined. Ensure the organization has defined a usage restriction for connection of a non-enterprise activated CMD to a DoD workstation or other DoD system that stores or processes sensitive information. If a policy does not exist prohibiting the connection of non-enterprise activated CMDs from connecting to DoD systems that contain sensitive DoD data, this is a finding.

Check Text ( C-SRG-MPOL-057_chk )

Review the organization's access control and security policy to determine if requirements for connection to DoD workstations or other systems containing sensitive DoD information are defined. Ensure the organization has defined a usage restriction for connection of a non-enterprise activated CMD to a DoD workstation or other DoD system that stores or processes sensitive information.

If a policy does not exist prohibiting the connection of non-enterprise activated CMDs from connecting to DoD systems that contain sensitive DoD data, this is a finding.

Fix Text (F-SRG-MPOL-057_fix)
Ensure non-enterprise activated CMDs do not physically or wirelessly connect directly to DoD information systems containing sensitive data.