The organization must have a CMD Personal Use Policy that specifies what types of personal files are permitted on the device.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35973	SRG-MPOL-055	SV-47289r1_rule		Medium

Description
Malware can be introduced to a DoD enclave via personally-owned applications and personal website accounts. In addition, sensitive DoD data could be exposed, altered, or exfiltrated by the same malware. The DoD component must publish a Personal Use Policy for DoD component managed or owned CMDs. The policy will provide information on allowed personal use of DoD component mobile devices, including devices approved for connection to DoD networks and processing of sensitive data and for devices not approved for connection to DoD networks and processing of DoD data (for example, non-enterprise activated devices). The policy will be approved by the DAA based on a risk-based assessment. The assessment will consider costs to the Command that could result from additional wireless service charges from personal usage of the device.

Description

Malware can be introduced to a DoD enclave via personally-owned applications and personal website accounts. In addition, sensitive DoD data could be exposed, altered, or exfiltrated by the same malware. The DoD component must publish a Personal Use Policy for DoD component managed or owned CMDs. The policy will provide information on allowed personal use of DoD component mobile devices, including devices approved for connection to DoD networks and processing of sensitive data and for devices not approved for connection to DoD networks and processing of DoD data (for example, non-enterprise activated devices). The policy will be approved by the DAA based on a risk-based assessment. The assessment will consider costs to the Command that could result from additional wireless service charges from personal usage of the device.

STIG	Date
Mobile Policy Security Requirements Guide	2013-07-03

Details

Check Text ( C-44210r1_chk )
Review the organization's policy to determine if it provides information on allowed personal use of site/Command mobile devices. The policy will be approved by the DAA based on a risk-based assessment. The policy must include: -Installation of user-owned and free commercial applications. -Download of user-owned data (music files, picture files, etc.). -Connections to user social media accounts. -The use of geo-location aware applications that save or transmit the location of the device. The use of geo-location aware applications should be based on an Operational Security (OPSEC) risk assessment. -Connecting DoD managed mobile devices to personally-owned computers. (For example, a personally owned computer used to download personally-owned files to the mobile device). If the organization does not have a Mobile Device Personal Use Policy detailing the requirements for downloading user owned data (music files, pictures, etc.) on the mobile device, this is a finding.

Check Text ( C-44210r1_chk )

Review the organization's policy to determine if it provides information on allowed personal use of site/Command mobile devices. The policy will be approved by the DAA based on a risk-based assessment. The policy must include:

-Installation of user-owned and free commercial applications.
-Download of user-owned data (music files, picture files, etc.).
-Connections to user social media accounts.
-The use of geo-location aware applications that save or transmit the location of the device. The use of geo-location aware applications should be based on an Operational Security (OPSEC) risk assessment.
-Connecting DoD managed mobile devices to personally-owned computers. (For example, a personally owned computer used to download personally-owned files to the mobile device).

If the organization does not have a Mobile Device Personal Use Policy detailing the requirements for downloading user owned data (music files, pictures, etc.) on the mobile device, this is a finding.

Fix Text (F-40500r1_fix)
Develop a Personal Use Policy which details the requirements for downloading user owned data (music files, picture files, etc.) on the mobile device.