UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Mobile Policy Security Requirements Guide


Overview

Date Finding Count (86)
2013-01-24 CAT I (High): 11 CAT II (Med): 47 CAT III (Low): 28
STIG Description
The Mobile Policy Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC I - Mission Critial Classified)

Finding ID Severity Title
V-35960 High The organization must have written policy or training material that states non-enterprise activated CMD are not permitted to connect to DoD networks.
V-35976 High The organization must not use DoD-issued software certificates for Non-enterprise activated CMDs.
V-35970 High The organization must follow the incident handling policy if classified information is found on mobile devices.
V-35987 High The organization must develop procedures for ensuring mobile operating systems, mobile applications, and mobile device management agents on managed mobile devices are updated within an organization defined period after the updates/patches are available.
V-35991 High The organizations physical security policy must state that CMDs with cameras must not be allowed in any SCIF or other areas where classified documents or information is stored, transmitted, or processed.
V-35938 High The organization must maintain a SIPRNet connection approval package with the Classified Connection Approval Office (CCAO) when connecting a Secure WLAN (SWLAN) to SIPRNet.
V-35933 High The organization must remove the wireless interface on computers with an embedded wireless system before the computer is used to transfer, receive, store, or process classified information.
V-35935 High The organization must ensure all wireless systems connected to a DoD network (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) are approved by the approval authority prior to installation and use for processing DoD information.
V-35958 High The organization must have a policy forbidding the use of wireless personal area network (PAN) devices, such as near-field communications (NFC), Bluetooth, and ZigBee, to send, receive, store, or process classified information.
V-35954 High The organization must not permit CMDs in Sensitive Compartmented Information Facilities (SCIFs), unless approved by the DAA and SCIF Cognizant Security Authority (CSA) in accordance with Intelligence Community Directive 503 and Intelligence Community Standard (ICS) 705.1.
V-35955 High The organization must have written policy or training material stating CMDs must not be used to receive, transmit, or process classified messages unless specifically approved by NSA for such purposes and NSA-approved transmission and storage methods are used.
V-35969 Medium The organization must assign personnel to perform reviews/inspections of mobile devices in facilities containing information systems processing, storing, or transmitting classified information.
V-35961 Medium The organization must not permit non-enterprise activated CMDs to process or store DoD sensitive information, including DoD email.
V-35962 Medium The organization must require that mobile devices used in facilities containing information systems processing, storing, or transmitting classified information, and the information stored on those devices, are subject to random reviews/inspections by organization defined security officials.
V-35965 Medium The organization must store and maintain a configuration baseline of each CMD, including application software.
V-35974 Medium The organization must have a CMD Personal Use Policy that specifies restrictions on the use of personal email.
V-35972 Medium The organization must establish usage restrictions for organization controlled CMD.
V-35973 Medium The organization must have a CMD Personal Use Policy that specifies what types of personal files are permitted on the device.
V-35971 Medium The organization must establish a standard operating procedure (SOP) for Classified Message Incidents (CMI) on CMDs.
V-35978 Medium The organization must establish implementation guidance for organization-controlled portable and mobile devices.
V-35979 Medium The organization must establish standard operating procedures for provisioning mobile devices.
V-35989 Medium A policy must exist prohibiting non-enterprise activated (NEA) CMDs connecting to DoD devices containing sensitive or classified information or devices that connect to DoD networks.
V-35988 Medium An authorization process must be developed and published that states the process to obtain approval before CMDs can connect to the organizations information system(s).
V-35983 Medium The organization must develop policy to restrict CMD Instant Messaging (IM) client applications to connect to only security-compliant, DoD-controlled IM servers.
V-35982 Medium The organizations DAA must approve the use of software PKI certificates on enterprise-activated CMDs prior to provisioning CMDs with DoD PKI digital certificates.
V-35981 Medium Develop policy that states CMD software updates must only originate from DoD approved sources.
V-35986 Medium The organization must make a risk-based determination, prior to installation of applications on non-enterprise activated CMDs.
V-35985 Medium The organization must perform a security risk analysis on a mobile operating system (OS) application by the DAA or DAA-authorized approval authority prior to the application being approved for use.
V-35984 Medium The organization must obtain approval from the DAA or Command IT Configuration Control Board prior to installing a software application on a mobile device.
V-35910 Medium The organization must define the maximum number of consecutive, unsuccessful login attempts to CMDs are permitted.
V-35912 Medium The organization must make a risk-based determination for applications before they are accredited by the DAA prior to distribution or installation on a CMD.
V-35919 Medium The organization must monitor for unauthorized wireless connections to the information system at an organization defined time period.
V-35990 Medium The organization must define locations the organization deems to be of significant risk to DoD information systems, in accordance with organizational policies and procedures.
V-35992 Medium The organization must apply organization defined inspection and preventative measures to mobile devices returning from locations the organization deems to be of significant risk to DoD information systems.
V-35993 Medium The organization must produce a written policy and training material that states CMDs that are classified as non-enterprise activated must not be used to send, receive, store, or process sensitive/FOUO or classified data and information or connect to DoD networks.
V-35994 Medium The organization must produce a written policy and training material that states CMDs classified as non-enterprise activated must not access DoD email systems.
V-35997 Medium The organization must ensure all non-enterprise activated CMD users complete Operational Security (OPSEC) training that provides use guidelines and vulnerability mitigation techniques.
V-35928 Medium The organization must confine Wi-Fi and Bluetooth communications to organization-controlled boundaries.
V-35924 Medium The organization must establish usage restrictions for wireless access.
V-35921 Medium The organization must document and take appropriate action if an unauthorized wireless connection is discovered.
V-35920 Medium The organization must define a time period for monitoring of unauthorized wireless connections to information systems, including scans for unauthorized wireless access points.
V-35922 Medium The organization must define the appropriate action(s) to be taken if an unauthorized wireless connection is discovered.
V-35930 Medium The organization concept of operations (CONOPS) or site security plan must include guidance that signal amplification, antenna configuration, or other techniques must not be modified in Bluetooth radios that could affect signal detection or interception.
V-35931 Medium The organization must use FIPS 140-2 validated cryptographic modules for unclassified DoD data in transit over Bluetooth (or ZigBee) devices.
V-35934 Medium The organization must establish implementation guidance for wireless access.
V-35946 Medium The organization must authorize wireless access to the information system prior to connection.
V-35945 Medium The organization must monitor for unauthorized wireless access to DoD networks.
V-35944 Medium The DoD component must employ an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.
V-35943 Medium The DoD component must employ a wireless intrusion detection system.
V-35942 Medium The organization must only procure and deploy WPA2-Enterprise certified WLAN equipment and software for wireless systems that connect directly to DoD networks.
V-36003 Medium The organization must ensure physical security controls are implemented for Secure WLAN (SWLAN) access points.
V-36002 Medium The organization must secure all wireless network devices, such as wireless Intrusion Detection System (IDS) and wireless routers, access points, gateways, and controllers to prevent tampering or theft, or must be located in a secure room with limited access.
V-35959 Medium The organization must have an access control security policy requiring approval from the appropriate authorizing official(s) for the connection of unclassified mobile devices to unclassified information systems.
V-35956 Medium The organization must not permit operation of wireless devices in areas where classified information is electronically stored, processed, or transmitted unless operation is in accordance with DAA-approved CTTA restrictions at the site.
V-35957 Medium The organization must have a policy and connection approval process prohibiting connection of unclassified mobile devices to classified information systems.
V-35950 Medium The organization must notify the Certified TEMPEST Technical Authority (CTTA) before a Secure WLAN (SWLAN) becomes operational and connected to the SIPRNet.
V-35952 Medium The organization must enforce requirements for wireless connections to the information system.
V-35953 Medium The organization must ensure the network access control solution supports wireless clients and solutions if wireless networking is implemented.
V-35968 Low The organization must review MDM integrity scan results at least daily.
V-35963 Low The organization must periodically conduct manual audits of CMDs to verify the CMD is not running unauthorized software or has otherwise not been modified in an unauthorized manner.
V-35964 Low The organization, at the mobile device management (MDM) server site, must verify that local sites, where CMDs are provisioned, issued, and managed, are conducting annual self assessments.
V-35967 Low The organization must ensure WIDS sensor scan results are saved for at least 6 months (one year recommended).
V-35966 Low The organization must maintain results and mitigation actions, from CMD integrity validation tool scans on site managed mobile devices, for 6 months (one year recommended).
V-35977 Low The organization must explicitly specify in each sites physical security policy whether CMDs, containing cameras, are permitted at that site.
V-35975 Low The organizations CMD Personal Use Policy must be approved by its DAA.
V-35980 Low The organization must develop policy which ensures a CMD is wiped prior to issuance to DoD personnel.
V-35911 Low The organization must define networking protocols within the information system deemed to be non-secure for remote access into DoD networks.
V-35913 Low The organizations wireless metropolitan area network (WMAN) system accreditation must include a Transmission Security (TRANSEC) vulnerability analysis, if the WMAN system operates in a tactical environment.
V-35998 Low The organization must verify each of its CMD users has completed annual CMD user training.
V-35999 Low The organization must execute its incident response plan or applicable Standard Operating Procedure (SOP) when a CMD is reported lost or stolen.
V-35995 Low The organization must ensure users receive training before they are authorized to access a DoD network with a CMD.
V-35996 Low The organization must ensure the MDM server administrator receives required training annually.
V-35929 Low The organization concept of operations (CONOPS) or site security plan must include information that Bluetooth devices use only Class 2 or 3 standard radios.
V-35939 Low The organization must reasonably size and constrain the Wireless Metropolitan Area Network (WMAN) signals to their intended coverage area.
V-35932 Low The organization must obtain U.S. Forces Command (USFORSCOM) or host nation approval for the use of wireless equipment prior to operation of such equipment outside the United States and Possessions (USP).
V-35936 Low The organizations wireless policy or wireless remote access policy must include information on locations CMD Wi-Fi access is approved or disapproved.
V-35937 Low The organization must have a written policy or training materials stating Bluetooth must be disabled on all applicable devices unless they employ FIPS 140-2 validated cryptographic modules for data in transit.
V-35949 Low The organization must have a wireless remote access policy signed by the site DAA, Commander, Director, or other appropriate authority.
V-35948 Low The organization must include each wireless device connecting to a DoD network in the applicable site security plan.
V-35947 Low The organization must maintain a list of all DAA-approved wireless and non-wireless devices under their control that store, process, or transmit DoD information.
V-35941 Low The Incident Response Plan (IRP) and/or SOP must have the required procedures for reporting the results of WMAN intrusion scans.
V-35940 Low The organizations WMAN system must not operate in the 3.30-3.65 GHz frequency band.
V-36001 Low The organization must follow required procedures for the disposal of CMDs.
V-36000 Low The organization must include procedures for lost or stolen CMDs in its Incident Response Plan or applicable Standard Operating Procedure (SOP).
V-36005 Low The organization must not permit personnel to operate CMD without first signing a user agreement IAW DoD CIO Memorandum, Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement, 9 May 2008.
V-35951 Low The organization must provide the DAA the results of a Certified TEMPEST Technical Authority (CTTA) TEMPEST evaluation of each WLAN system it operates.