The organization must ensure users receive training before they are authorized to access a DoD network via a wireless device.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-MPOL-083	SRG-MPOL-083	SRG-MPOL-083_rule		Low

Description
Improper use of wireless remote access to a DoD network can compromise both the wireless client and the network, as well as, expose DoD data to unauthorized individuals. Without adequate training, remote access users are more likely to engage in behaviors that make DoD networks and information vulnerable to security exploits. The security personnel and the site wireless device administrator must ensure all wireless remote access users receive training before they are authorized to access a DoD network via a wireless remote access device.

Description

Improper use of wireless remote access to a DoD network can compromise both the wireless client and the network, as well as, expose DoD data to unauthorized individuals. Without adequate training, remote access users are more likely to engage in behaviors that make DoD networks and information vulnerable to security exploits. The security personnel and the site wireless device administrator must ensure all wireless remote access users receive training before they are authorized to access a DoD network via a wireless remote access device.

STIG	Date
Mobile Policy Security Requirements Guide	2012-10-10

Details

Check Text ( C-SRG-MPOL-083_chk )
Review site CMD and/or IA awareness training material to verify it contains the required content. Review to ensure the training includes the following: - Maintaining physical control of the device. - Reducing exposure of sensitive data. - Backing up data frequently. - User authentication, anti-virus, personal firewall, and content encryption requirements. - Enabling wireless interfaces only when needed. - Enable VPN connection to the DoD network immediately after establishing a wireless connection. - All Internet browsing will be done via the VPN connection to the DoD network - No split tunneling of VPN. - Locations where wireless remote access is authorized or not authorized (i.e., home, airport, hotel, etc.). - Wireless client configuration requirements. - Use of WPA2 Personal (AES) on home WLAN. - Home WLAN password and SSID requirements - Discontinue the use of devices suspected of being tampered with and notify the site IAO. Verify site training records show authorized wireless remote access users received required training, and that training occurred before the users were issued a device. Check training records for approximately five users, picked at random. If training material does not contain the required content or if wireless remote access users have not received required training, this is a finding.

Check Text ( C-SRG-MPOL-083_chk )

Review site CMD and/or IA awareness training material to verify it contains the required content. Review to ensure the training includes the following:

- Maintaining physical control of the device.
- Reducing exposure of sensitive data.
- Backing up data frequently.
- User authentication, anti-virus, personal firewall, and content encryption requirements.
- Enabling wireless interfaces only when needed.
- Enable VPN connection to the DoD network immediately after establishing a wireless connection.
- All Internet browsing will be done via the VPN connection to the DoD network
- No split tunneling of VPN.
- Locations where wireless remote access is authorized or not authorized (i.e., home, airport, hotel, etc.).
- Wireless client configuration requirements.
- Use of WPA2 Personal (AES) on home WLAN.
- Home WLAN password and SSID requirements - Discontinue the use of devices suspected of being tampered with and notify the site IAO.

Verify site training records show authorized wireless remote access users received required training, and that training occurred before the users were issued a device. Check training records for approximately five users, picked at random. If training material does not contain the required content or if wireless remote access users have not received required training, this is a finding.

Fix Text (F-SRG-MPOL-083_fix)
Ensure users complete the required training prior to accessing a DoD network wirelessly.