The organization must not permit non-enterprise activated CMD to connect to DoD networks.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-MPOL-069	SRG-MPOL-069	SRG-MPOL-069_rule		High

Description
Some smartphones and tablets, including some models of Windows, Android, iOS, and BlackBerry smartphones and tablets, are not authorized to connect to DoD networks or to DoD computers that will be connected to DoD networks, because they do not have required security controls. There is a significant risk of introducing malware on a DoD network if these types of devices are connected to a DoD network.

Description

Some smartphones and tablets, including some models of Windows, Android, iOS, and BlackBerry smartphones and tablets, are not authorized to connect to DoD networks or to DoD computers that will be connected to DoD networks, because they do not have required security controls. There is a significant risk of introducing malware on a DoD network if these types of devices are connected to a DoD network.

STIG	Date
Mobile Policy Security Requirements Guide	2012-10-10

Details

Check Text ( C-SRG-MPOL-069_chk )
Smartphones and tablets classified as non-enterprise activated are not authorized to connect to DoD networks. Examples of unauthorized DoD network connections include: -Connecting the mobile device to a DoD network interface device (switch, router, Wi-Fi access point, etc.). Allowed exception: the device can be connected to a DoD managed Internet-Gateway-only connected Wi-Fi access point (AP) (see the Wireless STIG for more information). -Connecting the mobile device to a DoD PC that is authorized to connect to a DoD network. - Managing the mobile device from a DoD network connected Mobile Device Management (MDM) server. -Connecting the mobile device to a web server located on a DoD network, unless the server is available to the general public. -Connecting the mobile device to a DoD email system. Interview the appropriate security personnel and 2-3 users who are using mobile OS devices that are managed by the site, and which are not authorized to connect to DoD networks. Verify written policy and training material exists (or requirement is listed on a signed user agreement) stating mobile OS devices must not be connected to a DoD network, unless authorized to do so. Verify users are aware of the requirement. If written policy or training material does not exist or users are not aware of the requirement, this is a finding.

Check Text ( C-SRG-MPOL-069_chk )

Smartphones and tablets classified as non-enterprise activated are not authorized to connect to DoD networks.

Examples of unauthorized DoD network connections include:

-Connecting the mobile device to a DoD network interface device (switch, router, Wi-Fi access point, etc.). Allowed exception: the device can be connected to a DoD managed Internet-Gateway-only connected Wi-Fi access point (AP) (see the Wireless STIG for more information).

-Connecting the mobile device to a DoD PC that is authorized to connect to a DoD network.

- Managing the mobile device from a DoD network connected Mobile Device Management (MDM) server.

-Connecting the mobile device to a web server located on a DoD network, unless the server is available to the general public.

-Connecting the mobile device to a DoD email system.

Interview the appropriate security personnel and 2-3 users who are using mobile OS devices that are managed by the site, and which are not authorized to connect to DoD networks.

Verify written policy and training material exists (or requirement is listed on a signed user agreement) stating mobile OS devices must not be connected to a DoD network, unless authorized to do so. Verify users are aware of the requirement.

If written policy or training material does not exist or users are not aware of the requirement, this is a finding.

Fix Text (F-SRG-MPOL-069_fix)
Ensure policy and procedure is in place to disallow connection of smartphones and tablets classified as non-enterprise activated to DoD networks.