The organization must establish a standard operating procedure (SOP) for Classified Message Incidents (CMI) on CMDs.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-MPOL-062	SRG-MPOL-062	SRG-MPOL-062_rule		Medium

Description
When a data spill occurs on a CMD, classified or sensitive data must be protected to prevent disclosure. After a data spill, the CMD must either be wiped using approved procedures, or destroyed if no procedures are available, so classified or sensitive data is not exposed. If a data spill procedure is not published, the site may not use approved procedures to remediate after a data spill occurs and classified data could be exposed. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). In accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or "data spill" occurs when a classified email or document is inadvertently sent on an unclassified network and received on a wireless email device. Classified information may also be transmitted through some other form of file transfer, to include web browser downloads and files transferred through tethered connections. Smartphones are not authorized for processing classified data. The site's Incident Handling and Response procedures should reference NSA/CSS Storage Device Declassification Manual 9-12, Section 5, for CMD destruction procedures.

Description

When a data spill occurs on a CMD, classified or sensitive data must be protected to prevent disclosure. After a data spill, the CMD must either be wiped using approved procedures, or destroyed if no procedures are available, so classified or sensitive data is not exposed. If a data spill procedure is not published, the site may not use approved procedures to remediate after a data spill occurs and classified data could be exposed. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO). In accordance with DoD policy, all components must establish Incident Handling and Response procedures. A CMI or "data spill" occurs when a classified email or document is inadvertently sent on an unclassified network and received on a wireless email device. Classified information may also be transmitted through some other form of file transfer, to include web browser downloads and files transferred through tethered connections. Smartphones are not authorized for processing classified data. The site's Incident Handling and Response procedures should reference NSA/CSS Storage Device Declassification Manual 9-12, Section 5, for CMD destruction procedures.

STIG	Date
Mobile Policy Security Requirements Guide	2012-10-10

Details

Check Text ( C-SRG-MPOL-062_chk )
Verify classified incident handling, response, and reporting procedures are documented in CMD procedures or security policies. If classified incident handling, response, and reporting procedures are not documented in site procedures or security policies, this is a finding. This requirement applies at both sites where CMDs are issued and managed and at sites where the CMD management server is located. At the CMD management server site, verify Incident Handling and Response procedures include actions to sanitize the CMD management server and email servers (e.g., Exchange, Oracle mail). At CMD sites, verify Incident Handling and Response procedures include actions for incident reporting and actions to safeguard classified CMD devices. The following actions will be followed for all CMD involved in a data spill:

Check Text ( C-SRG-MPOL-062_chk )

Verify classified incident handling, response, and reporting procedures are documented in CMD procedures or security policies. If classified incident handling, response, and reporting procedures are not documented in site procedures or security policies, this is a finding.

This requirement applies at both sites where CMDs are issued and managed and at sites where the CMD management server is located.

At the CMD management server site, verify Incident Handling and Response procedures include actions to sanitize the CMD management server and email servers (e.g., Exchange, Oracle mail).

At CMD sites, verify Incident Handling and Response procedures include actions for incident reporting and actions to safeguard classified CMD devices. The following actions will be followed for all CMD involved in a data spill:

Fix Text (F-SRG-MPOL-062_fix)
Create and publish an SOP for Classified Message Incidents (CMI) on CMDs.