The organization must not permit non-enterprise activated CMDs to process or store DoD sensitive information, including DoD email.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35961 | SRG-MPOL-043 | SV-47277r1_rule | Medium |
| Description |
|---|
| Non-enterprise activated CMDs are not authorized to process any information other than non-sensitive because they do not have required security controls to avoid tampering and malicious intent. There is a high risk of introducing malware and exfiltration of information if these types of devices store or process anything other than non-sensitive information. |
| STIG | Date |
|---|---|
| Mobile Policy Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-44198r1_chk ) |
|---|
| Review the organization's policy on non-enterprise activated CMD processing and storage requirements. The policy should include language that disallows the use of such devices in processing or storing anything other than non-sensitive DoD information. The devices will not be used to connect to DoD email systems, including Outlook Web Access (OWA), or store or process DoD email. If the policy does not disallow the use of CMDs for processing anything other than non-sensitive information, including DoD email, this is a finding. |
| Fix Text (F-40488r1_fix) |
|---|
| Develop and publish the policy or procedure preventing the processing or storing of DoD sensitive information, including DoD email, by non-enterprise activated CMDs. |