The organization must not permit non-enterprise activated CMDs to process or store DoD sensitive information.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-MPOL-070 | SRG-MPOL-070 | SRG-MPOL-070_rule | Medium |
| Description |
|---|
| Non-enterprise activated CMDs are not authorized to process any information other than non-sensitive because they do not have required security controls to avoid tampering and malicious intent. There is a high risk of introducing malware and exfiltration of information if these types of devices store or process anything other than non-sensitive information. |
| STIG | Date |
|---|---|
| Mobile Policy Security Requirements Guide | 2012-10-10 |
Details
| Check Text ( C-SRG-MPOL-070_chk ) |
|---|
| Review the organization's policy on non-enterprise activated CMD processing and storage requirements. The policy should include language that disallows the use of such devices in processing or storing anything other than non-sensitive DoD information. If the policy does not disallow the use of CMDs for processing anything other than non-sensitive information, this is a finding. |
| Fix Text (F-SRG-MPOL-070_fix) |
|---|
| Ensure policy and procedure is in place to disallow the processing or storing of DoD sensitive information by non-enterprise activated CMDs. |