The organization must have a policy forbidding the use of wireless personal area network (PAN) devices, such as near-field communications (NFC), Bluetooth, and ZigBee, to send, receive, store, or process classified information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35958	SRG-MPOL-040	SV-47274r1_rule		High

Description
Classified data could be compromised since wireless PAN devices do not meet DoD encryption requirements for classified data.

STIG	Date
Mobile Policy Security Requirements Guide	2013-07-03

Details

Check Text ( C-44195r1_chk )
Verify compliance by reviewing the user agreement or security briefing to ensure personnel have been properly instructed on the policy that states that wireless PAN devices cannot be used for, or around classified processing. If the user agreement or security briefing does not exist, this is a finding. Note: The check applies to Wireless USB (WUSB) devices; however, it does not apply to wireless email devices (BlackBerry, Windows Mobile, etc.). Review the appropriate wireless email device security requirements for Bluetooth on these devices.

Check Text ( C-44195r1_chk )

Verify compliance by reviewing the user agreement or security briefing to ensure personnel have been properly instructed on the policy that states that wireless PAN devices cannot be used for, or around classified processing. If the user agreement or security briefing does not exist, this is a finding.

Note: The check applies to Wireless USB (WUSB) devices; however, it does not apply to wireless email devices (BlackBerry, Windows Mobile, etc.). Review the appropriate wireless email device security requirements for Bluetooth on these devices.

Fix Text (F-40485r1_fix)
Develop and publish a policy forbidding the use of wireless PAN devices for classified processing.